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P.O. Box 1450 

Alexandria, Virginia 22313-1450 
Dear Sir: 

This request is being filed in order to correct the record of the currently pending 
application in regard to the submittal of a computer program listing saved and submitted 
on a first and a second compact disc (CD) in conjunction with the above-referenced 
patent application; said CDs apparently reported as not being received at the USPTO. 

The computer program listing in question was additionally submitted on a first 
and second CD respectively in related United States non-provisional patent application 
serial no. 10/000,396 and PCT patent application PCT/USOl/45,275, both entitled "Flow- 
Based Detection of Network Intrusions." 

A status inquiry was submitted to the USPTO on March 11, 2005. The purpose of 
the status inquiry was to obtain an indication of when a communication would be 
received from the USPTO in regard to the pending application or when the pending 
application would be examined. Concurrently with the submittal of the status inquiry to 
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SN: 10/062,621 
10775-36791 
Customer No. 24728 

the USPTO a search was made via PAIR of the USPTO file history. A review of the 
documents posted on PAIR showed that the utility patent application transmittal form 
submitted in regard to the above-referenced patent application had been stamped with an 
indicator that the USPTO had not received the CD-ROM copy one and copy two. 

A review of our files indicated that the utility patent application transmittal form 
(attached hereto as Exhibit A) had appropriately been highlighted to specify that a CD- 
ROM or CD-R was attached in duplicate. A transmittal of computer program listing on 
CD form (attached hereto as Exhibit B) was submitted specifying therein that two copies 
of a CD-R compact disc were being submitted, wherein the compact discs were labeled 
as "Copy 1" and "Copy 2." Further, a return postcard was submitted to the USPTO, 
wherein conspicuously listed under the "Enclosures" section on the postcard was a 
statement reporting the transmittal of "Computer Program Listing on CD, copies 1 and 
copies 2 of a CD with program listing." 

On April 20, 2005, a telephone conference was conducted with Examiner Ronald 
Baum, wherein the subject of the telephone conference was the non-reception of the CDs 
submitted with the filing of the patent application of the above-referenced matter. During 
the telephone conference, Examiner Baum suggested that the Applicant resubmit CD 
copies 1 and 2, in addition to submitting a printout of the computer code that is contained 
within the submitted CD-Rs. 

The Applicant submits that a review of its file indicates that the CD-Rs labeled 
"Copy 1" and "Copy 2" were believed to have been properly submitted to the USPTO in 
accordance with the filing practices of Applicant's law firm. In an attempt to correct the 
present record of the currently pending patent application, as suggested by Examiner 
Baum, the Applicant hereby submits a printout of the computer code that is contained 
within the previously submitted CD-Rs. Further, pursuant to 37 C.F.R. § 1.52(a) the 
Applicant hereby submits herewith two (2) copies of one (1) compact disc (CD-R) 
entitled "Lancope Code.txt Computer Listing," each in conformance with the 
International Standards Organization (ISO) 9660 Standard, with the contents in 
compliance with the American Standard Code for Information Exchange (ASCII), 
enclosed in a hard compact case within an unsealed padded and protected mailing 
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envelope, labeled as "Copy 1" and "Copy 2", accompanied by this transmittal letter, as 
required by said Rule. 

In accordance with 37 C.F.R. § 1.52(e)(3)(ii), the operating system compatibility 
for the files contained herein are in the Microsoft Windows NT Operating System, and 
the CD-R includes the following ASCII text file contained on the compact disc, including 
the file's name, size in bytes, and date of creation, as follows: 



DATE OF 
CREATION 


SIZE IN 
BYTES 


FILE NAME 


Jan. 30, 2002 


154,450 


LANcope Code.txt 



Pursuant to 37 C.F.R. § 1.52(e)(4), Applicant hereby states that the two compact 
discs identified as "Copy 1" and "Copy 2" are identical. 

In accordance with 37 C.F.R. § 1.52(e)(6), each CD "Copy 1" and "Copy 2" is 
labeled with information indicating the name of the inventor, title of the invention, 
Applicant's docket number, the creation date of the compact disc (January 30, 2002), and 
an indication whether such copy is "Copy 1" or "Copy 2". 

Applicant has made a bona fide attempt to correct the record in regard to the 
presently pending patent application. If any condition remains incomplete, then 
Applicant kindly requests that the undersigned be contacted at the address or telephone 
number shown below so that such condition may be met. 



Respectfully submitted, 

MORRIS, MANNING & MARTIN, LLP 



August 9, 2005 




Wendell A. Peete, Jr. 
Reg. No. 52,108 



MORRIS, MANNING & MARTIN, L.L.P. 

1600 Atlanta Financial Center 

3343 Peachtree Road, N.E. 

Atlanta, Georgia 30326 

404-233-7000 Main 

404-495-3682 Direct 

Customer No. 24728 
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Readme 

FILE INDEX FOR FILES ACCOMPANYING THE PATENT APPLICATION OF 

John copeland 

"Network Port Profiling" 

Filed January 30, 2002 

NOTICE OF COPYRIGHT 

A portion of this disclosure of this patent document contains material that is 
subject to copyright protection. The copyright owner has no objection to the 
facsimile reproduction by anyone of the patent document or the patent disclosure, as 
it appears in the Patent and Trademark office patent file or records, but otherwise 
reserves all copyright rights whatsoever. 

All files are in ASCII (text) format and saved with " .txt" file suffix. All files 
can be opened in Microsoft WORD 97, within windows NT. 

All files are originally C code files. 

Note that the "date of creation" listed below of the files is .the date on which the 
files were created for the purpose of inclusion on this CD-ROM; the date is NOT the 
date on which the contents of such files were created. 



There is 1 file, not including this file: 

Sizein Date File Name 

Bytes 



154,450 January 30, 2001 LANcope Code. txt 
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LANcope Code 

#define .REENTRANT // basic 2-"lines for threads 

#include <pthread.h> // compile gcc -Ipthread -fvolatile -fvolatile-global 

#include <time.h> //assumes service is same as port 

#include <stdio.h> 

#include <stdlib.h> 

#include <string.h> 

#include <sys/types . h> 

#include <sys/stat.h> 

#include <signal .h> 

// lancope 000527 Thread 1 collects packet header and sorts into flows (from 
ipselect.c 991215) 

// compile: gcc lancope. c -03 -pthread -fvolatile -fvolatile-global -o lancope 
// MUTEX order: none -> flows -> hosts -> pairs -> bs 

// You can skip a lock going to the right, but NEVER go left without unlocking 

higher db's 

char proqid[100] = "LANcope by John Copeland 9/28/00, copyright 2000, all rights 
reserved 1 ; 

FILE *infile, *log_flow , *xfile, *alertfile, *traffile, *config, *log_pkt_file, 
*log_pair ;// files 



CI 



HO_ ATTACK_INIT_CI 

H0__ATK_PER_SYN 

PORT_SCAN_CI 

PORT_SCAN_LT__CI 

PORT_SCAN_MAX 



Weights - 
2000 // 
501 // 
666 // 
999 // 
8 // 



// 



// - 
#define 
#define 
#define 
#define 
#define 
30s 

#define PORT_SCAN_LT_MAX 16 // max number or ports on all host 1st probed long 
term 
#define 
#define 
#define 
#define 
#define 
#define 



P0RT_SCAN2_CI 

HI_HI_CI 

L0_HI_CI 

LO_LO_CI 

UNKNOWM_CI 

HOST_SCAN_CI 



10 // 

50 // 

500 // 

100 // 

3 // 

3000 // 



half -open attack from initial flow eval 
half -open attack per SYN, final flow eval 
per short-term port scan detected 
per long-term port scan detected 
max number or ports on all host 1st probed in 



per flow with no C or S determined 

per high-port to high-port connection 

per low-port to high-port connection 

per low-port to low-port connection 

per low-port to low-port connection 

per address scan detected 



#undef CHECK_INDEX // check HASH INDICES for out-of- range 

#undef TEST // check for URG PTR != 0, flag-exception errors 

#define flow_dead 320 // inactive time -> flow finished must be > 300 for 

'persistant 1 http ^ 

#define L00SE_PERI0D 900 // time in seconds for 'loose 1 classification of flows that 

start 

#define LINES_PER_SCREEN 40 // 1.6 x rough number of lines on Traffic and CI 
Alerts Web screens 

#define SHORT_UDP_MAX 2 // max size for UDP data fields in a short UDP 
#define UDP_PORT_OFFSET 2048 // added to udp ports before using port no. as offset 
in port_mask[j] 

#define PORT_mask_SIZE 2058 // to dimension port_mask[] should be 4 larger 
#define LOW_PT_MAX 1024 // a "low" port is less than this 

#define SLOTS 131073 //no. flows in data table > 2**SHIFT+1 8193 16385 32769 65537 
131073 262145 

#define SHIFT 17 // size of shifts to make index. Max = 13 14 15 16 
17 18 

#define MASK Oxlffff //mask all but Max-SHIFT right-most bits xlfff x3fff x7fff 
xffff xlffff x3ffff 

#define RANGE 15 // search range for empty slot 
struct flow_db { 

unsigned long ip[2] ; // 0 - ip address - lowest 

unsigned short pt[2] ; //tcp or udp ports 

Page 1 



0x10 



unsigned short pt_min 

unsigned short pt_jnax 

unsigned long root ; 

unsigned long down ; 

unsigned long up; 

unsigned long start ; 

unsigned long last ; 

unsigned long state ; 



LANcope Code 
// client minimum port 
// client maximum port 



// FLOWTYPE =0,2 or for 4-TCP, 1-UDP classified = 
// well-known port number of service, even if on a 
// max number ports for ipO pair 



unsigned short service 
different port 

unsigned short scans ; 
unsigned long bytes [2] 
unsigned long pkts[2] ; 
unsigned long flgs[2] ; 
unsigned short bmary[2] ; 
unsigned short bin_norm[2] ; 

unsigned char flag[2] [7] ;//0 bad, 1 reset, 2 urgent, 3 syn, 4 syn-ack, 5 
fin&!ack, 6 fin&ack 

unsigned char flag_norm[2] ;// urg ptr 
} flow [SLOTS] ; 

// elements in flow[ ].flag[j][ FLAG ] 

#define BAD 0 

#define RST 1. 

#define URG 2 

#define SYN 3 

#define 4 // SYN-ACK 

#define ATK_CTR // attack counter 

// bits in flow[ ]. state // 1 - udp, 2 - ipO first, 4 - ipl first 

#define udp_flow 0x01 // xO, x2, x4 are TCP stages 

#define LOOSE 0x10 // loose matching for startup an split-path 

#define ip0_FlRST 0x20 // ipO sent first packet 

#define ipl_FlRST 0x40 // ipl sent first packet 

#define not_first_pkt 0x60 // first packet when neither ip0_FiRST nor ipl_FiRST is 
set 

#define FIRST_IN_FL0 0x60 // mask to test for "not loose and this is first pkt of 
flow" 

// first TCP packet seen was not a SYN 
// clasified, but continue to watch 
// do not continue checking (attack noted) 
// probe 



#define NO_SYN 0x80 
#define CLASSIFIED 0x100 
#define ATTACK 
#define probe 
#define atk_probe 
#define ATTACK_CHK 0x800 
#define FTP_SER_0 
#define FTP_SER_1 
connection 
#define ftp_any 
#define HI_HI 



// ATTACK or PROBE 

// 



0x200 
0x400 
0x600 

log all packets after WATCH or ATTACK is set 

0x1000 // FTP_EST = FTP_OLD | FTP_PASS 
0x2000 // passive FTP, server is ipl data is on a hi 

0x3000 // any type FTP if true 
0x4000 // both ports > 1023 



hi 



#define WATCH^FLOW 0x8000 // marks flow so packets and flow is logged 



// ip-pair data to detect scans, 2An + 1 1025 
// size of shifts to make index. Max =n 10 



2049 
11 



#define SCAN_SLOTS 4097 
4097 8193 
#define SCAN_SHIFT 12 
12 13 

#define SCAN_mask Oxfff //mask all but Max-SHIFT right-most bits x3ff x7ff 
xfff xlfff 

#define scan_range 25 // search range for empty slot 



#define SCAN_max 4 
ports 



// ip-pair flow[i] elements limit for same IP, different 



struct ip_pair { 



unsigned long ipO 
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//ip address - source 



unsigned long ipl 



uns 
uns 
uns 
uns 
uns 
unsi 
uns 
unsi 
unsi 
uns 



LANcope Code 



//ip address - target 



igned long root ; 
igned long down ; 
igned long up; 
igned long start ; 
igned long last ; 
igned long concern ; 
igned short n_ports ; 
igned short njiits ; 
igned char type[16] ; // values below 
unsigned char walk[16] ; // distance of port walk 
unsigned short port [16] ; 
} scans [SCAN_SLOTS] ; 

#define UDP_PR0BE 1 // values for scans [i] .type [ VALUE ] 

#define TCP_PR0BE 2 

#define short_udp_scan 3 

#define BOOMERANG 4 

#define ping_SCAN 5 

#define ICMP_T0 6 

#define TCP_TO 7 

#define udp_to 8 

#define BAD_PKT_TRACE 9 

#define TCP_PORT_SCAN 10 
#define tcp_addr_scan 11 
#define HALF_OPEN 12 

unsigned long scin[16], scans_pr_cut , scans_cut ; // distribution of scans[] .concern 
values 

unsigned long scan_pai r (unsigned long ipO, unsigned long ipl, unsigned char 
type, unsigned short port); 

// number Host slots 2An + 1 16385 32769 

// point to start dropping old outside host records with 



65537 



#define H0ST_SL0TS 
65537 131073 262145 
#define H0ST_LIMIT 20000 
ci=0 ; 

#define HOST_SHlFT 16 
16 17 18 
#define HOST_MASK Oxffff 
xffff xlffff x3ffff 
#define HOST_RANGE 25 
#define HOST_MAX 4 
struct host_db { 



// size of shifts to make index. Max =n 

//mask all but Max-SHIFT right-most bits 

// search range for empty slot 
// ip-pair flow limit HOSTS 



14 15 
x3fff x7fff 



gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
unsigned 
unsigned 
unsigned 



unsi 

unsi 

unsi 

uns 

uns 

uns 

uns 

uns 

unsi 

uns 

unsi 

unsi 

uns 

uns 

uns 

uns 

uns 



ong ip ; 
ong root ; 
ong down ; 
ong up; 
ong start ; 
ong last ; 
ong udp_bytes ; 
ong bytes_in ; 
ong bytes_in_pp 
ong bytes_in_mx 
ong pkts_in ; 
ong flgs_in ; 
ong bytes^ot ; 
ong bytes_ot_pp 
ong bytes_ot_mx 
ong ptcts_ot ; 
ong flgs_ot ; 
ong port_smin ; 
ong port_smax ; 
ong port_cmin 



//ip address 



// multimedia bytes 

// for web_alert period 
; // Bytes over 5 min (wai) 
; // max all day 



// for web_alert period 

; // Bytes over 5 min (wai) 

// max all day 



// 6 -> Server ports (0-1023) 
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// 7 -> Client of ports ( 0-1023) 



is 0, H128 1, 



unsi 
uns 
uns 
uns 
uns 
uns 
uns 
unsi 
unsi 
unsi 
uns 
uns 
uns 
uns 
unsi 
uns 
uns 
unsi 
uns 
uns 
P_ST 
uns 
uns 
uns 
uns 
uns 



gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
gned 
, P-LT 

gned 
gned 
gned 
gned 
gned 



unsigned 
unsigned 
unsigned 



long 
long 
long 
long 
long 
short 
short 
long 
long 
long 
long 
long 
long 
long 
long 
long 
long 
long 
long 
char 
3 

long 
long 
long 
long 
long 
long 
long 
long 
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port_cmax ; 
server 



client 
s_profi 
c_profi 
s_list 
c_list 
s_f 1 ows 
c_fl ows 
u_f 1 ows 
resets 
rejects 
no_con_t 



e 
e 

10] 
10] 



common server ports - provided 

common server ports - used 

common server ports - provided 

common server ports - used 



// 32 
// 32 
// 32 
// 32 

// list of uncommon servers 
// list of uncommon clients 
// server flows 
// Client flows 
// unknown (not CS) flows 
// TCP Resets 
// icmp 'port unavailable 1 
// tcp, no response 
// DNS flows 



dns_fl ows 

mm_s ; // multimedia server 
mm_c ; // multimedia client 
mm_p ; // multimedia peer 
pt_scans ; // no answer flows 
host_scan[5] 
scan_cntr[4] 



e.g. scanning 
// used to detect host scans 
// used to count bits port scans H32 



} h0St[ HOST_SLOTS ] 



port_scan[4] ; // used to detect port scans 

bad_pkts ; // SYN-ACK, and any other than stadard 7 

bad_flow ; // Not Server < 1024, Client > 1024 

pings ; // pings 

traces ; // traces 

alerts ; //bit map of alert condition 

alarrrut ; // last time an alarm was set 

concern ; // accumulated CI 



#define LOCAL_NETS 20 // maximum number of local subnets 

//#define IRC 0x40000 // bits in host []. server or client above those read 

in from "lancope_config" 



#define 

#define 

#define 

#define 

#define 

#define 

#define 

#define 

#define 

#define 

#define 

#define 

#defi ne 

#define 

#define 

alerts 

#define 

host in 

#define 

and web 

#define 

#define 

#define 



LOCAL_HOST 
PING_ALERT 
TRACE_ALERT 



0x1 
0x2 
0x4 



// bits in host [] .alerts 



RE J ECT_J\LERT 0x8 



PKT_ALERT 



0x10 



PT_SCAN^ALERT 0x20 



PORT_SCAN2 

HI_HI_CS 

LO_HI_CS 

LO_LO_CS 

SHORT_UDP 

IP_SCAN 

HO_ATTACK 

LT_PT_SCAN 

TRAF_ALARM 



0X40 
0x80 
0x100 
0x200 
0x400 
0x800 
0x1000 
0x2000 
0x4000 



sent and Web Bulletin 



0x8000 

0x10000 

0x20000 
WATCH_HOST 0x40000 
NO_CS_SET 0x80000 



ALARM_1 

fo logged 

ALARM_2 

Bulletin 

NO__ALARM 



// from flows excedinq SCAN_MAX 

// from bits in host . [h] .port_scan[0] 



// UDP packet with < 4 bytes data 

// accessed too many different IP addresses 

// Half -open attack 

// Long-Term port scan 

// TRAFFIC bytes in + out over 15 min too high. Email 

V/ alarm-1 talked with a suspicious host, flows & full 

// alarm-2 is a definite problem. Email alerts sent 

// exempt from alarms 
// log packets and flows 

// C-S not determined (long-duration flow?) 



#define ALARM_12 0x18000 
#define ALARM_12w 0x58000 
packets and flows 
char alert_name[32] [25] = 



// for host[i] .alarms, 
// alarm-1 or alarm-2 
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1 and/or 2 
or watch-host 



log this guy's 



LANcope Code 

{"Local " , "Pings" , "Traces" , "Rejects" , "BacLFlags" , "Port_Scans" , "Pt_Scan2" , 
"High-High" , "Low-Hi gh" , "Low-Low" , "SHORT-UDP" , "IP-SCAN" , "HO_ATTACK" , "LT-Pt-Scan" , 



II If II till till llll II II till II II II II II II till till II II 



"HIGH-TRAF" , "TOUCHED" , "ALARM" , "NO_ALM" , "Watch" , 
.... } . 

unsigned long local_net [LOCAL_NETS] , local _mask[LOCAL_NETS] , ln_max, app_0, app_len, 
max_alert = 19 ; 
unsigned long cin[2][15], 

ci x [15] ={0 , 10 , 20 , 50 , 100 , 200 , 500 , 1000 , 2000 , 5000 , 10000 , 20000 , 50000 , 100000 , 1000000000} 
unsigned long tin[2][15], 

ti x [15] ={0 , 100 , 1000 , 10000 , 50000 , 100000 , 200000 , 500000 , 1000000 , 
2000000 , 5000000 , 10000000 , 20000000 , 50000000 , 1000000000} ; 

unsigned long web_alert_2 - 20000, web_traf_2 = 1000000, web_traf_2byte = 37500000; 
// Alarm, read from file 

unsigned long web_alert0_0 = 10, web_alertl__0 = 2, web_traf0_0 = 100, web_trafl_0 = 
20; // for web 

unsigned long profile, alarm_lines ; 

// web_alert_2 & web_traf_2 read in from lc_thresholds.txt, _0's adjusted by 
program. 

unsigned long port_mask[ PORT_MASK_SIZE ], pn_max, acti ve_local s ; // bit map for 32 
common server protocols, UDP = port + 1024 

char port_name[100] [32] , pbuf_l[120], pbuf_2[120], serstr[400] ; //names 
for protocols above, each bit 

#define TRAFFIC^. VALUES 97 // no. -> 15-min intervals for 24 hours + 1 
#define CLASS_FLOW_lNT 30 // interval in seconds between class_flow() operations 
#define WEB_ALERT_INT 300 // interval in seconds between web_alert() operations 
#define traf_table_min 750 // traf table interval - (web_alert_int / 2) 

struct byt eatable { 

time_t t 

unsigned long bytes_in 

unsigned long bytes_out 

unsigned long bytes_loc 

unsigned long bytes_oo 

unsigned long bytes_bc 

unsigned long bytes_bad 

unsigned long bytes_rr.cn 

unsigned long bytes_mco 
} bs[ traffic_values ] ; 

unsigned long bytes_start, spoofs, bt_old ; 
int bt = -1 ; 

unsigned long bps_in_max, bps_out_max, bps_loc_max, bps_oo_max ; 
unsigned long bps_mcn_max, bps_mco_max, bps_bc_max, bps_bad_max ; 
unsigned long bytes_in_cnt , bytes_out_cnt , bytes_loc_cnt , bytes_oo_cnt ; 
unsigned long bytes_bc_cnt , bytes_bad_cnt , bytes_mcn_cnt , bytes_mco__cnt ; 

// ###### THREADS ######## // 

unsigned long thread ; 
volatile time_t t_run ; 

time_t t_zero, t_bs_last, t_wa_last, t_diff, z_sec, t_next_web, t_next_cf, 

t_next_web ; 

pthread_mutex_t mp_hosts - pthread_mutex_initializer, mp_flows = 

PTH R EAD_MUT EX_I N ITI A L I Z E R ; 

pthreadjiutex_t mp_pai rs = PTHREAD_MUTEX_INITIALIZER ; 

pthread_mutex_t mp_class_flow = pthread_mutex_initializer ;// for f_file 

Ethread_mutex_t mp_find_flow = PTHREAD_MUTEX_INITIALIZER ; // stops find_flow from 
eing reentrant 
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thread_mutex_t mp_bs = pthread_mutex_initializer ; // stops bs[].t from 

eing written while read 
pthread_t thread_num[100] ; 

volatile long np, running = 1 ; 

char monitor_start[64] ; // capture start time 

long find_slot( unsigned long ipO, unsigned long ipl, long portO, long portl); // 
find slot in flow[ ] 

unsigned long find_host( unsigned long ip, unsigned int make) ; 
unsigned long dots_int( char *p ) ; // dotted-decimal (ascii) to integer 
unsigned long s2i( unsigned char bb[4]) ; // 4 bytes -> 32 bit integer, internet 
order, msb on left [0] 

unsigned long b2i( unsigned char bb[4]) ; // 4 bytes -> 32 bit integer, 
inte T -86order , msb on right [3] 

void print_host(FlLE *xfile, unsigned long i, unsigned long x) ; 
void usage ( void ) ; 

int start_tcpdump( void ) ; // returns '0' if ok 
void kill_tcpdump( void ) ; 

void process_pkts( void ) ; // run as threads 
void class_flow( void ) ; 
void web_alerts( void ) ; 

void record_probe( unsigned long hs, unsigned long des_addr, unsigned short des_port 
) ; 

void services( unsigned int x ) ; 
void read_thresholds( void) ; 
int read_profiles( void ) ; 
int save_profiles( void ) ; 

void suicide( int yesterday) ; // saves logs and restarts this program (or newer 
version) 

void userhandler(int) ; // SIGTERM handler (control-c response) 
#ifdef CHECK_INDEX 

unsigned long host_hash( unsigned long ip) ; 

#endif 

unsigned char snp_hdr[40], snp_buf [40] , lan_buf[40], ip_buf [3000] , *tcp_buf ; 
//buffers 

unsigned char ct[80], rt[80], as [20] ; 

unsigned int njiost = 1, n_pr_search, n_scans, slots_cut, slots_pr_cut ; 

// FILE *tf ; //DeBuG unsigned long temp[128] ; 

unsigned long i__src, i_des, hs_ip[128] ; 

int ip_optionsJ3 = 20, ip_options_l, data_0, data_l, restartjiour = 6 ; // gmt 
long njiiss, n_max, n_flow, n_flow_log, t_read ; 
unsigned char transport, scan_max ; 

unsigned int des_addr, src_addr, src_port, des_port, ah, tcp_all ; 
unsigned short err_limit = 40, n_restart ; 

unsigned long flag_al r [256] , flag_cnt [256] , flags, n_icmp, n_tcp, n_udp, n_f ull , 
port ; 

unsigned long snp_rec_max , host_cut ; // 24 + snaplen option used for Snoop 

int f_dotdec, f_all , f_encrypt, f^file, f_demo, f^splitpath, f_loose, f_verbose, 
f_noread ; // flags 

int n_active, n_active_max ; // used by class_flow() 
int n_lost ; // flows lost due to no slot 

int lanjidr, bothjidr, snp_len, snoop ;// lan_hr = 14 Ethernet, 21 fddi 

unsigned long non_ip, ip_not4, short_ip, ip_len[16], not^tui ; // for cleaning 



int main (int argc, char * argv[ ]) // ============== main 

Page 6 



LANcope Code 
struct tm *s_time, *cap_time ; 

docket t_l, t_2 ; // t_l = time in 1/60 s , clock_t is unsigned long 
time_t t_now, snoop^t ; // time in sec since 1-1-1970, unsigned long 

struct timespec ts ; // ts.tv_sec and ts.tv_nsec 

char *inp, logflo[130], logpkt [130] , logscan[130] , *opx, app[130], alt[130] ;// 
inpiinfile 

unsigned long i, j, k, h, n, index, indexO ; // index to data table 

unsigned long pkt_len, inclu_len, rec_len, cu_drop ; // pkt record 

header 

unsigned long t_start, Oast ; /* time */ 
unsigned char x, y ; 

unsigned long save_old, n_list, n_err, m ; // used while reading 
// FOR HOST STATISTICS 

int ntf, nprof, hdr_needed ; 

unsigned short port_ck = 0 ; // TCP or udp port numbers 

unsigned char c, fig , run_flags[120] ; 
// Unique to Select. c 

unsigned long ipv[40], n_ips, v, snap_len, cap_len ; 

char ips[200], *spl f *sp2, *cap_prog, as0[200J, asl[200] , cmd[ 100 ], 
filebase[100] ; 

unsigned long ipO, ipl, n_slot, no_header ; 

void (*handlerptr)(int) ; // for SIGTERM handle 

printf( n \nProgram ID: %s\n ptr host[l] : %u, %u\n M , progid, (size_t) 
&host[2], 

(size_t) &host[2] .ip ) ; 

if ( argc < 3 ) { // Snoop Pkt Size optional 

printfC* *** Not Enough Auguments\n") ; usageQ ; 



handlerptr = signal (SIGTERM, userhandler) ; 

if (handlerptr == SIG_ERR) printf ("Can 1 t assign signal handler ,\n") ; 

inp = argv[l]; //input file name 
// if(strstr(inp,"/")) { 

// printf("\n ### INPUT FILE MUST BE IN THE DEFAULT DIRECTORY 

###\n\n M ); 

// usageO ; 

// } 

if(argc > 2) strcpy(logflo,argv[2]) ; 

// tf = fopen("host_scan„data.txt ,, , ,, w M ) ; // temp - Print Host Scan Data // 

DeBuG 

t_now = time( NULL ) ; // present time in seconds 

if(logflo[0] == '-■) { 

unsigned long day, hour ; 
day = (t_now / 86400) % 30 ; 
hour = (t_now / 3600) % 24 ; 

if( hour >= restart_hour) day = (day + 1) % 30 ; 

sprintf(logflo, "log-flows-%u.txt" , day ) ; // use same files 
if restart in same day 

spri ntf (logpkt, M log-pkts-%u. snp M , day) ; 
// struct tm *w_time ; 

// w_time = localtime( & t_now ) ; // w_time points to 'tm 1 structure 

// strftime(logflo, 16, "%y%m%d%H", w_time) ; // t__table is formatted into 

string ts 



// strcpy( filebase, logflo ) ; //save for restart 
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// strcpyClogpkt, logflo) ; 

// strcat(logpkt , "log.snp" ) ; 

// strcpyClogscan, logflo) ; 

// strcat(logscan, "-scans. snp n ) ; 

// strcatdogflo, "-flow.txt" ) ; 



printf ("selected flows listed in File: '%s\ packets in 'JSs'Xn" , logflo, logpkt) 

INDEX CHECKING IS TURNED ON --- \n") ; 



#ifdef CHECK_INDEX 

printfC 
#endif 



if(argc > 3) { // — set flags 
strcpy(run_flags,argv[3] 
printf(" Flags: '%s\", 
// if(strstr(run_flags,"d") 
}// write IP addrs in dotted decimal 

if(strstr(run_flags,"a") 
// f print all flows that terminate 

if (strstr(run_flags, "e") 
// encrypt local net names 

if(strstr(run_flags,"f") 
// take t_pace from file 

if (strstr(run_flags, "o") 
// demo, list all hosts 

if(strstr(run__flags, "n") 
// skip old profiles 

if (strstr(run_flags, "s") 
// some packets missing 

if (strstr(run_fl ags,"v") 



run_flags ) ; 

{f_dotdec = 1; printf (' 



// verbose 
very verbose 
very verbose 
very verbose 
} 



if (strstr(run_flags, "vv" 



{f_all = 1; printfC 

{f_encrypt = 1; printfC 

{f_file = 1; printfC 

{f_demo = 1; printfC 

{f_noread =1; printfC 

{f_spl i tpath=l ; pri ntf C 

{f_verbose =1; printfC 

) {f_verbose =2; printfC 



if (strstr(run_flags, "vvv")){f_verbose =3; printfC 
if(strstr(run_flags, "vvvv ,, )){f_verbose=4; printfC 
printf ("\n"); 



dotdec, " ) 
all flows,") 
encrypt, " ) 
file in, " ) 
demo, " 



} 
} 
} 

);} 



no profiles, ") ;} 
split_path, ");} 
verbose, " );} 

-very" );} // 

-very" );} // 

-very" );} // 



f_loose = 1 ; // after t_run > LOOSE_PERlOD, f_loose = f_splitpath 



// 



// File opening for input from tcpdump or real file 

if(f_file == 0 ) { 

if( start_tcpdump() ) { 

printfC" ### ethl OR tcpdump CAN NOT BE STARTED - 

TERMINATING ###\n\n") ; 

usage() ; 

} 

elsp 

if((infile = fopen (inp, "rb"))==NULL) { // OPEN INPUT FILE// 
pri ntf ("input File %s Can Not Be Read\n", inp) ; 
usageO ; 

if((config = fopen ("lancope_config. txt" , "rb"))==NULL) { // OPEN input 

FILE 

printf ("input File 1 lancope_config.txt' Can Not Be Read\n" , inp) ; 
usa|e() ; 

while(l) { // read configuration parameters - port numbers , mask, and names 
unsigned int i , j ; 

if( EOF == fscanf(config," %u %u", &i , &j) ) break ; // read 
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values of i , j 

if(( i >= 9000 ) || ( j > 31 )) break ; 

if( EOF == fscanf (config," %s", &port_name[j] ) ) break ; // read 

port name 

if( i <= ( 2 * UDP_PORT_OFFSET )) { 
port_mask[ i ] = 1 « j ; 
pn_max = j + 1 ; 

} } 

port_mask[ 2 * UDP_PORT_OFFSET + 1 ] = 1 « prunax ; 
strcpy(port_name[pn_max] , "MMedia"); pn_max ++; 

port_mask[ 2 * UDP_PORT_OFFSET + 2 ] = 1 « prunax ; 
strcpy(port_name[pn_max] , "M 1 cast") ; pn_max ++; 

port_mask[ 2 * UDP_PORT_OFFSET + 3 ] = 1 « prunax ; 
strcpy(port_name[pn_max] , "B'cast"); pn_max ++; 

port_mask[ 2 * UDP_PORT_OFFSET + 4 ] = 1 « pn_max ; 
strcpy(port_name[pn_max] , "Odd:") ; pn_max ++; 

ln_max = 0 ; 

while(l) { // ### read configuration parameters - local sub-nets ### 

if( EOF == fscanf(confTg," %s %s", pbuf_l, pbuf__2) || (atoi (pbuf_l) 

> 256)) break ; 

local_net[ ln_max ] = dots_int( pbuf_l ) ; // dotted decimal to 

integer 

local_mask[ ln_max ] = dots_int( pbuf_2 ) ; 
if( f_encrypt ) { 

unsigned int a ; 

a = local _net[ ln_max ] ; 

if( ! (local_mask[ ln_max ] & OxOfOO )) local_mask[ ln_max ] 
&= OxffffOOOO ; //for B-c class 

local_net[ ln_max ] a= ((( a »4)&0x0f0f0000) a 
(a«4)&0x0000f000) ; //encrypt routine 'c' 

a = local_net[ ln_max ] ; 

printf ("Encrypted Local Net: %u.%u.%u.%u, \t", a»24, 
(a»16) & Oxff , (a»8) & Oxff, a & Oxff ) ; 

if( (++ln_max) >= LOCAL_NETS ) break ; 

printf("Local Net: %15s, Net Mask: %15s\n", pbuf_l, pbuf_2 ) ; 
fclose( config) ; 

if((log_pair = fopen("log_pai r. txt" , "ab"))==NULL) { 

printf ("\nLog-Packets File 1 log_pair.txt' Can Not Be Opened for Append\n\n") 
usageC) ; 



pthread_mutexJIock( &mp_hosts) ; // ### lock hosts [] 

read_thresholds() ; // initial values for web_alert2, web_traf2, 
restart Jiour, profile ; 

pthread_mutex_unlock( &mpJiosts) ; // ### unlock hosts [] - no_alarms and 
watchjlist 



if( C ! f_noread) && ( profile » 0 ) ) read_profiles() ; // ### read 
profiles ### 

printf ("\n Waiting for IP Data\n") ; 

// — read snoop file header into snpj>uf[ ] 
nojieader = 1 ; 
whileC nojieader ) { 

nojieader = 0 ; 

n = fread( (void *) snpjidr, 4, 4, infile) ; 
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if( n<4) { 

printf ("Could not read file header from %s\n\n", inp) ; 
no_header = 1 ; 

} 

else { 

if( 

(snp_hdr[0]== , s , )&&(snp^hdr[l]== , n , )&&(snp_hdr[5]==0)&&(snp_hdr[ll]==2) ){ // snoop 

snp_hdr[7] = 0x00 ; 

printf("%s %s version %u, Format %u (4=Ethernet, 
8=FDDl)\n M , snp_hdr, &snp_hdr[6], \ 

(int) snp_hdr[ll], (int) snpjidr [15]) ; 

if( snp_hdr[6] == 'c' ) f^encrypt = 1 ; // encrypt 
local net addresses to match file 

if( snp_hdr[15] == 4 ) lan.hdr = 14 ; // Ethernet 

LAN - snoop file 

if(snp_hdr[15] == 8 ) lan_hdr = 21 ; // FDDI 

LAN 

else { 

printf ("\nFile is not 'snoop 1 of Ethernet or fddi. 
Type = %d\n\n", (int) snp_hdr[15] ) ; 

nojieader = 1 ; 

} } 

bothjidr = lan_hdr + 24 ; 
if( 

(snp_hdr[0] !='s') | | (snp_hdr[l] ! = f n') I I (snp_hdr[5] !=0) | | (snp_hdr[ll] !=2) ){ 

printf ("\nFile is not 'snoop 1 

version '2' \n\n") ; 

no_header = 1 ; 

} 

cap_prog = "snoop" ; 
// Read 1st Snoop Record Header to get starting time 

n = fread( (void *) snp_buf, 4, 6, infile) ; // 
read 1st snoop record header into pf[ ] v x tiv 

if( n < 6) { printf ("\nEOF BEFORE FIRST RECORD\n\n") 

;usage() ; } 

// pkt_len = s2i( &snp_buf[ 0] ) ; 

// inclu_len = s2i ( &snp_buf[ 4] ) ; // captured 

length 

rec_len = s2i( &snp_buf[8]) ; // SNOOP record 

length (24 + captured length) 

// cu_drop = s2i( &snp_buf[12] ) ; // not used 

thread = snoop_t = s2i( &snp_buf[16] ) ; // 

absolute capture time in seconds 

snoop = 1 ; // cap program was snoop 
} else { // tcpdump 

if( snp_hdr[3] < Oxal ){ 

printf ("\nFile is not 'snoop 1 version '2' or 
a TCPDUMP -w file\n\n") ; s n 

printf ("1st 4 bytes are: %x,%x,%x,%x\n" , 
snp_hdr[0] ,snp_hdr[l] ,snp_hdr[2] , snp_hdr[3]) ; 

usage() ; 

lanjidr = 14 ; // Ethernet 
bothjidr = lan_hdr + 24 ; 
cap_prog = "tcpdump" ; 
snoop = 0 ; // not snoop 
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n = fread( (void *) &snpjidr[16] , 4, 2, infile) ; 
// get extra length of tcpdump file header 

if( n < 2) { 

printf ("\nEOF BEFORE FIRST RECORD\n\n M ) ; 
nojieader = 1 ; 

} 

else { 

snap_len = snpjidr[16] + 256 * snp_hdr[17] ; 
// Read 1st tcpdump Record Header to get starting 

time 

n = fread( (void *) snp_buf, 4, 6, infile) ; 
// read 1st snoop RECORD header into pf[ ] 

if( n < 6) { 

printf ("\nEOF BEFORE FIRST 

RECORD\n\n") ; 

nojieader = 1 ; 

} 

else { 

rec_len = b2i( &snpj>uf[8]) + 24 ; 
// tcpdump record length (24 + captured length) 

thread = snoop_t = b2i ( 
&snp_buf[0] ) ; // absolute capture time in seconds 

printf (" tcpdump -s (raw) capture 

file, snapjlen = %u\n", snap_len ) ; 

} // end tcpdump specific read 

} 

if( nojieader ) { 

if( f_file ) usageO ; 
else { 

start_tcpdump() ; 

printf C" #### WILL TRY TO READ HEADER AGAIN ### 

} } 

if( running != 1 ) goto wrapup ; 
sleep(l) ; 
} // end - while( nojieader) 

snp_rec_max =250 ; 

// printf ("Run^f lags: '%s', Snoop Record Max. Length: %u bytes\n", run_flags, 

snp_rec_max ) ; 

struct stat file_info; // OPEN OUTPUT FILE log-flow-n. txt 

and log-pkt 

if( stat( logflo, &file_info) != 0 ) { //file logflo does 

not exists already 

if((log_flow = fopen (logflo, ,, wb"))==NULL) { 

printf ("\nLog-Packets File %s Can Not Be Created\n\n" , 

logflo) ; 

usageO ; 
hdr_needed = 1 ; 

else { // file logflo 

exists already 
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if((log_flow = fopen (logflo, "ab"))==NULL) { 
printf ("\nLog-Packets Fi I e %s Can Not Be Opened for 



exists already 
logpkt) ; 



} 

hdr_needed = 0 ; 

} 

if( stat( logpkt, &file_info) != 0 ) { //file logpkt does not 

if (Oog_4Dkt_file = fopen (logpkt , "wb"))==NULL) { 

pri ntf ("\nLog-Packets File %s Can Not Be Created\n\n" , 



usageO ; 

fwrite( snpjidr, sizeof (char) , 24, log_pkt_file ) ; // copy 
tepdump file header into packet log file 

else { //file logpkt 



exists already 
Append\n\n" , logpkt) 
} 

} 



if((log _pkt_file = fopen (logpkt , ,, ab ,, ))==NULL) { 
printf ("\nLog-Packets File %s Can Not Be Opened for 

usageO ; 



t_now = t_l = time(NULL) ; // puts present time (s) into t_now and 
GLOBAL t_zero 

if( f_file) { t_zero = t_read ; } else { t_zero = t_now ; } 
s_time = localtime(&t_now) ; // puts ascii data in struct( *captime), 
makes s_time point to it 

strcpy( rt, asctime( s_time ) ) ; // rt has \n 

cap^time = localtime( &snoop_t ) ; 
strcpy( ct, asctime( cap_time ) ) ; 
strcpy(monitor_start , "Monitoring Started: ") ; 
strcat(monitor_start , ct ) ; 

monitor_start[ 39 ] = 1 , 1 ; // chop off year and \n for Web page title 
monitor_start [ 40 ] = 1 1 ; 
monitor_start [ 41 ] = 0 ; 

fflush(stdout) ; 
t_2 = clock() ; 

pri ntf ("Data captured by %s to file %s on %s", cap^prog, inp, ct ) ; // ct 

has \n 

printf ("Program ID: ^s'AnRun on %s. Output file: %s\n", progid, rt, 

logflo); 

if( hdr_needed ) { 

f pri ntf (log^flow, "Data captured by %s to file %s on %s", cap_prog, inp, ct ) ; // 
ct has \n 

fprintf(log_flow, "Program ID: ^s'AnRun on %s. Output file: %s\n", progid, rt, 
logflo); 

fprintf(log_flow,"prot\tipO\tipl\tportO\tportl\tservice\tstart\tlast\tbytesO\tpktsO\ 

tflags0\t"); 

f pri ntf (log^flow, 

"p-mi n0\tp-max0\tbi naryO\tBadO\tRSTO\tURGO\tSYNO\tSYN-ACKO\tFlNO\tU-PTRO\t" ) ; 
f pri ntf (log.flow, "bytesl\tpktsl\tflagsl\tp-minl\tp-maxl\t") ; 

fprintf (log_flow, "bi naryl\tBadl\tRSTO\tURGl\tSYNl\tSYN-ACKl\tFINl\tU-PTRl\n" ) ; 

// ##################### START THREADS TO READ PACKETS and CLASSIFY FLOWS 
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####### 

pthread_create( &thread_num[l] , NULL, (void *) &process_pkts , NULL ); // 

### NEW THREADS 

if( f_file ) pthread_mutex_lock( 

&mp_class_flow ) ; // block class_flow() until p_p releases 

pthread_create( &thread_num[2] , NULL, (void *) &class_flow , NULL ); 

// pthread_create( &thread_num[3] , null, (void *) &web_alerts , null ); // 

ALERT TABLES FOR WEB 

// ### Three threads run until userhandlerO detects SIGTERM and sets 'running = 
2' ### 

pthread_join( thread_num[l] , NULL ); // wait for completion - until 
'running 1 -> 2 

printf (" Thread-1 (process_pkts) joined, "); 
running = 2 ; 

if( f_file) pthread_mutex_unlock( &mp_class_flow ) ; 

pthread_join( thread_num[2] , NULL ) ; 

printf (" Thread-2 ( class_flow ) joined, "); 
// pthread_join( thread_num[3] , NULL ) ; 

// printf( n Thread-3 ( web_alerts ) joined\n M ); 



// ##################### END OF THREADS #################### 



wrapup: 



printf ("\n*** Packet Data Source Ended, Flow Log: %s, Pkt Log: 
%s\n\n",logflo, logpkt ); 
time(&t_now) ; 

s_time = localtime(&t_now) ; 

xfile = stdout ; // 1st time through 

f printf (xfile," Flows found: %u, logged: %d, packets: %u, time-out: 

%d \n", 

n_flow, n_flow_log, np, FLOW^DEAD) 

fprintf(xfile, u TCP packets: %u, UDP packets: %u, ICMP packets: 
%u\n", n_tcp, n_udp, n_icmp) ; 

fprintf (xfile, "\nlt took %u seconds to process, %u pkts, %u cap. 
secs.\n",time(NULL) - t_l,np, t_run) ; 
// xfile = log_flow ; // 2nd time through 

// { for( i = 0 ; i < 128 ; i++ ) { // DeBuG 

// fprintf(tf, '^u^uXt", i, temp[ i ] ) ; 

// if(hs_ip[ i ] == 0 ) fprintf(tf, M \n") ; 

// else { m 

// register unsigned int a ; 

// a = hs_ip[ i J ; 

// fprintf(tf, n %3u.%3u.%3u.%3u\n M , a»24, (a»16) & Oxff, 

(a»8) & Oxff, a & Oxff) ; 
// } } 

// printf (" Host Scan Data saved in file host_scan_data. txt\n") ; 

save_profiles() ; 

for( i = 1 ; i < SCAN_SLOTS ; i++ ) { // ### WRITE SCAN-PAIRS ### 

identical TO CODE IN web_alerts() 

register unsigned int ipO, ipl, done; 

char as0[20], asl[20] , as [30], as4[30] , pr_str[500], x_str[50] ; 
if( scans [i] .down) { // select pairs to fprint 
ipO = scans [i] .ipO ; 
Page 13 



LANcope Code 
ipl = scans [i] .ipl ; 
sprintfC asO, "%3u .%3u .%3u .%3u" , (ip0»24) & Oxff, (ip0»16) & Oxff, (ipO»8) 
& Oxff, ipO & Oxff) ; 

sprintfC asl, ,, %3u.%3u.%3u.%3u ,, i (ipl»24) & Oxff, (ipl»16) & Oxff, (ipl»8) 
& Oxff, ipl & Oxff) ; 

for( j = 0 ; j < strlen(asO) ; j++ ) if( asO[j] == 1 

') asO[j] = '0' ; // target ipO 

for( j = 0 ; j < strlen(asl) ; j++ ) if( asl[j] == 1 

') asl[j] = '0' ; // prober ipl 

sprintf(pr_str, M %u\t%u\t%s\t%s\t%u\t%u\t" , scans[i] .last , 
scans [i] .start, asO, asl, 

scans [i ] .n_hits, scans [i ] ,n_ports ); 
for( j = 0 ; i < 16 ; j++ ) { 

x_str[0] = 0 ; done = 0 ; 



case 1 

UDP_PROBE 

case 2 

TCP_PROBE 

case 3 
SHORT_UDP_SCAN 

case 4 

BOOMERANG 

case 5 

PING_SCAN 

case 6 

ICMP^TO 

case 7 

TCP_T0 

case 8 

UDP_T0 

case 9 

BAD_PKT_TRACE 

case 10 

TCP_P0RT_SCAN 

case 11 

TCP_ADDR_SCAN 

case 12 

HALF_0PEN 

default 



switch ( scans [i ] .type [j] ) { 

sprintf (x_str, "UDP_R-%u", scans[i] .port[j]) 

sprintf (x_str, "TCP_R-%u", scans [i] .port[j]) 

sprintf (x_str, "Short^UDP^u" , scans[i] .port [j]) 

spri ntf (x_str , n Src=Des-%ir , scans [i ] . port [j] ) 

sprintf (x_str, "Ping") 

sprintf (x_str, "icmp_to" ) 

sprintf (x_str, "TCP_T0-%u" , scans[i] .port[j]) 

sprintf (x_str, "UDP_T0-%u" , scans[i] ,port[j]) 

sprintf (x_str, "Bad_TCP-%u" , scans[i] .port[j]) 

sprintf (x^str, "Mul ti_Pt-%u" , scans[i] .port [j]) 

sprintf (x_str, "Addr_scan-%u" , scans [i] .port[j]) 

spri ntf (x_str, "HO_ATTACKn-%u" , scans[i] .port [j]) 
done = 1 ; 



;break 


// 


;break 


• // 


; break 


; // 


; break 


; // 


;break 


// 


; break 


// 


; break 


// 


; break 


// 


; break 


// 


; break 


// 


;break 


// 


;break 


// 



if( done ) break ; 
strcat( pr_str, x_str ) ; 
if( scans[i] .walk[j] > 0 ) { 

spri ntf (x_str, "(%u) " , 



scans[i] .walk[j] ) 



} 



strcat( pr_str, x_str) 

" ) ; 



} 



el se strcat(pr_str , 
} // end j = 0, 1,2, . . . 
strcat(pr_str, "\n") ; 



fprintf (log_pai r, "%u\t%s" , scans [i] .concern, pr_str) 
log before deleting 

n = 0 ; 

for( i = 1 ; i < SLOTS ; i++ ) { 
if (flow [i] .down) { 
n++; 

} 

} 
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printf(" Max. Search: %d, Max. Flows Active: %d, Still Going: %u\n", n_max, 
n_acti ve_max, n ) ; 

kill_tcpdump() ; 

// running = 2 ; // finish up - force all flows to terminate 

// class_flow() ; 
// web_alerts() ; 

// printf(" All Flows Terminated and Classified\n") ; 

// sprintf( cmd, M lc_restart %s %s &", argv[3], filebase ) ; 

exit(O) ; 

} // +++++++++++++++++++++++++ END MAINQ +++++++++++++++++++++++ 



void process_pkts( ) // ### thread #1 ### 

unsigned long i, j, k, h, index, indexO ; // index to data 



table 
header 



unsigned long pkt_len, inclu_len, rec_len, cu_drop ; // pkt record 

long m, c_sec, t_sec, t_us, t_offset=0, t_cf, t_start ; // t^offset + or - 
unsigned long ipO, ipl, n_slot, n_err, n, hO, hi, hs, hd, bytes, bytesjidr 

time_t t_now, t_check, t_pause = 3 ; 

t_now = time(NULL) ; 

z_sec = t_read ; // snoop time stamp values 

c_sec = z_sec ; 

t_run = 1 ; // seconds since capture run started, must be > 0 

t_start = t_cf = 0 ; 

non_ip = ip_not4 = short_ip = n_err = not_tui = 0 ; 

for( i = 0; i < 16; i++) ip_len[i] = 0 ; // no. IP frames with header 
length i , i >< 5 

// 32 16 8 4 2 1 

for( i = 1 ; i < 256 ; i++ ) { // x,x,urg,ack ,psh,rst,syn,fin 

if( ( i & 0x3f ) == 0x3f ) flag_alr[i] |= 0x10000 ; // Christmas 

attack 

if( ( i & 3 ) == 3 ) flag_alr[i] |= 0x20000 ; // Syn Fin, 

Jackel or nmap 

if( ( i & OxcO ) > 0 ) flag_alr[i] |= 0x40000 ; // Reserved 

Flags 

if( C i & 4 ) && ( i & 0x23)) flag_alr[i] |= 0x080000 ; // RST and 

any but PSH, ACK 

if( (-i & 0x10) && ( i & 0x29)) flag_alr[i] |= 0x100000 ; // no ACK, 

any flag but SYN or RESET 

if( ( i & 0x20) && ( i & 0xc7)) flag_alr[i] |= 0x200000 ; // UGR + 
any except ACK or PSH 

flag_alr[0] = 0x400000 ; // no flags 
np = 0 ; 

ifC f.file ) { 

unsigned int cfi = CLASS_FL0W_INT ; // cfi = 30 s 
unsigned int wai = WEB^ALERT_INT ; // wfi = 900 
t_next_cf = *(&t_zero) + 0.5 * cfi ; 

t_next_cf = t_next_cf + cfi - (t_next_cf % cfi) ; // moves to 
nearest even value 
} 
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restart_here: pn*ntf("# Thread process_pkts start (%d) at t: %u, np: 
%u\n M , n_restart++, t_run, np) ; 

• while (running == 1) { // ############### START LOOP TO READ PACKETS 
############### 

long portO, portl, log_pkt ; 

if( np == 0 ; goto read_ip_buf ; // already read snoop header 

// *** PKT TIME FROM SNOOP HEADER **** 

if( f_file) { 

t_sec = thread + t_offset; 

if (((( t_sec - c_sec) > 360 ) | | ( t_sec - c__sec) < -10 ) 

| | ( t_sec < z_sec )) { 

printf( "BAD TIME VALUE, np:%u, Chk. T = %d, This T 



// 

= %d s, %d us, Error = %u" ,\ 

// 

too large, ignore 

ignored. \n") ; 
// 
// 
// 

) I 



np, c_sec, t_sec, t_us, n_err ); 
if( abs(c_sec - t_sec) > 120 ) { // clock jump 



} 



printfC" - Time Jump > 120 s. packet 
goto read_next ; 



} 

c_sec = t_sec ; 



else printf( n \n"); 
printf("np: %u, Old T offset = %d, " , np, t_offset 

t_offset += c_sec - t_sec ; 
t sec = c sec * 

printfC "7 New*T Offset = %d\n", t_offset, t_run ) 

if ( n_err++ > 30 ) break ; // go to wrapup 



} else { 



first packet 



t_run = t_sec - z_sec + 1 ; // data from file 
t_run = thread - z_sec + 1 ; // real-time, z_sec is time of 



PROCESS PACKET 



log_pkt = 0 ; // do not log packet unless this is set 
pthread_mutex_lock( &mp_flows) ; // ### lock hosts [; 
pthread_mutex_lock( &mp_hosts) ; // ### lock hosts [] 
if( f_verbose == 3 ) { printfC" np:%u received at %u, ", np, t^run ) ; 
fflush(stdout) ; } 

if( !( (Ianj3uf[lan_hdr - 2] == 8) && ( lan_buf [lan_hdr - 1] == 0) ) 

) { // not an IP packet 

non_ip++ ; 

goto read_next ; 

if( ( ip_buf[0] & OxfO ) != 0x40 ) { //IP, but not version 4 
i p_not4++ ; 
goto read_next ; 



with options 

// 



if( ( n = (ip_buf[0]) & OxOf ) != 5 ) ip_len[ n ] ++ ; //IP, but 



IP actions 

m = 4*n ; // zero data, start i adjusted for length of IP header 
if(( m < 0 ) M (m > 32)) { 
n_err++ ; 

printf ("Length-Error Packet, %u. Length = %d 4-byte 

words. \n", np, n) ; 

log^pkt = 1 ; 
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// if( n_err > err_limit ) goto wrapup ; 

// else 

goto reacLnext; 

tcp_buf = &ip_buf[ m ] ; // ip header length m = 20 unless there 

are IP options 

// ip_options_l = m ; 

src_addr = s2i( &ip_buf[12] ) ; 
des_addr = s2i( &ip_buf[16] ) ; 
transport = (unsigned char) ip_buf[ 9 ] ; 

hs = findJiost( src_addr, 1 ) ; // create entry if none exists 
hd = find_host( des_addr, 0 ) ; // find hd if entry exists 

if(src_addr == des_addr) { 
pthread_mutex_lock( &mp_pairs) ; // ### lock scans [] , 

scan_pair( src_addr, des_addr, BOOMERANG, 0) ; // type 8 -> 
circle packet or "land" attack 

pthread_mutex_unlock( &mp_pairs) ; // ### unlock scans[], 

log_pkt = 1 ; 
goto read_next; 

bytesjidr = (((unsigned int) ip_buf[2] « 8 ) I (unsigned int) 
ip_buf[3]); //includes IP, TCP/UDP/ICMP hdrs 

bytes = bytesjidr -m - 8 ; // length of IP data (includes 

App. Header) UDP, ICMP = 8 bytes 

if (transport == 6) bytes += 8 - 4 * (tcp_buf [12] » 4) ; // 
adjust for longer TCP header 

// Traffic Stats - IP Spoof Detect 

unsigned int traf = 0, s, d ; 
for ( n = 0 ; n < ln_max ; n++) { 

if( ! ( local_mask[ n ] & ( local_net[ n ] a 
src_addr ))) traf |= 1 ; // source is local 

if( ! ( local_mask[ n ] & ( local_net[ n ] a 
des_addr ))) traf |= 2 ; // destin is local 

if( ! (OxfOOOOOOO & (OxeOOOOOOO a des_addr) ) ) traf 1=4; 
// => 4 (outside) or 5 (local) mcast 

if( (!(des_addr & Oxff 000000)) I I (((des_addr & OxffOOOOOO)) 

== OxffOOOOOO ) 

| | ((des_addr & OxOOOOOOff)) OxOOOOOOff ) traf 
|= 8 ; // local broadcast => 9, if 8 then bad 

if( ! (OxffOOOOOO & (OxffOOOOOO a des_addr) ) ) traf |= 8 ; 
// => 4 (outside) or 5 (local) 

if( ( src_addr & OxffOOOOOO) == 0 ) { 

if ( !( traf & 10 ) ) traf |= 16 ; // bad if 
dest is not local or local broadcast (traf = 8 or 2) 

else traf = 9 ; // set to local broadcast 

switch ( traf ) { 

unsigned int ips, ipd ; 

case 0 : // outside-outside traffic 

spoofs++ ; 

bytes_oo_cnt += ( (unsigned int) ip_buf[2] « 8 ) I 

(unsigned int) ip_buf[3] ; 
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if (spoofs < 10 ) { 

if(! f_encrypt) { //encrypt routine 
printf(" SPOOF packet- Source 
%3u.%3u.%3u.%3u, Dest. %3u.%3u.%3u.%3u t: %u\n r \ 

(src_addr»24) & Oxff , 
(src_addr»16) & Oxff, (src_addr»8) & Oxff, src_addr & Oxff, 

(des_addr»24) & Oxff, 
(des_addr»16) & Oxff, (des_addr»8) & Oxff, des_addr & Oxff , t_run) ; 

} else { 

ips = src_addr a 
C((src_addr»4)&0x0f0f0000) a (src_addr«4)&0x0000f000) ; 

ipd = des_addr a 
C((des_addr»4)&0x0f0f0000) a (des_addr«4)&0x0000f000) ; 

printf( M spoof?- source 
%3u.%3u.%3u.%3u, Dest. %3u.%3u.%3u.%3u t: %u\n\ 

(ips»24) & Oxff, (ips»16) & 

Oxff, (ips»8) & Oxff, ips & Oxff , 

(ipd»24) & Oxff, (ipd»16) & 

Oxff, (ipd»8) & Oxff, ipd & Oxff, t_run ) ; 

} // end - spoofs < 10 

} 



headers 



break 
case 1 

break 
case 2 
break 
case 3 
break ; 
case 4 



// inside-outside traffic 
bytes_in_cnt += bytesjidr ; 



// outside-inside traffic 
bytes_out_cnt += bytesjidr ; 



// inside-inside traffic 
bytes_loc_cnt += bytesjidr ; 



0001 

// bytes including 



0010 



0011 



] ; // mcast_bit 



break ; 
case 5 



] ;// mcast_bit 



: // outside multicast 0100 
bytes_mcn_cnt += bytesjidr ; 
if( hs ){ 

host[ hs ]. server |= port_mask[ 2050 

} 

goto read_next ; 



: // inside broadcast 0101 
bytes_mco_cnt += bytes_hdr ; 

if( hs ) { // create entry if none exists 

host[ hs ]. server |= port_mask[ 2050 

} 



break ; 
case 9: 
case 11: 



goto read_next ; 



// inside broadcast to 0.0.0.0 



1001 
1011 



UDP_PORT_OFFSET + 3 ] 



// inside broadcast to x.x.x.255 
bytes_bc_cnt += bytes_hdr ; 

if( hs ) { // create entry if none exists 
host[ hs ]. server |= port_mask[ 2 * 

;// bcast_bit 
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goto reacLnext ; 

break ; 
default : 

bytes_bad_cnt += bytesjndr ; // outside to broadcast 

1001 

log_pkt = 1 ; 
goto read_next ; 
} // End case (traf) 
} // end traffic stats 

// ================= CHECK FOR PATHOLOGICAL PACKETS ============= (LINE 

651)==-========= // 

// TCP and UDP Flow numbers 

if((transport ==6) I I (transport == 17)) { // collect flow data 

src_port = ((unsigned long) tcp_buf[0] « 8) I ((unsigned long) tcp_buf[l] 
);// src port 

des_port = ((unsigned long) tcp_buf[2] « 8) | ((unsigned long) tcp_buf[3J 
) ;// des port 

if( hs ) { 

host[ hs ] .bytes_ot_pp += bytes_hdr ; // bytes_ot_pp 
is bytes out per period (O'ed every 5 min.) 

host[ hs ].pkts_ot ++ ; 

if ( (transport == 6 ) && (flag_alr[ tcp_buf[13] 

])) { // bad-flags TCP 

host[ hs ].bad_pkts ++ ; 
log_pkt = 1 ; 

record_probe( hs, des_addr, des_port ) ; 

if( host[ hs ].bad_pkts < 1000 ) { 
pthread_mutex_lock( &mp_pairs) ; // ### lock scans[], 

scan_pair( src_addr, des_addr, 

bad_pkt_trace, des_port) ; 

pthread_mutex_unlock( &m^_pairs)^; // ### unlock scans[], 

if( transport == 17) { // UDP 

host[ hs ].udp_bytes += bytes_hdr; // bytes_hdr 

includes header bytes 

host[ hs ].bytes_ot += bytes_hdr ; 

if (bytes <= short_udp_max ) { // too short 

host[ hs ].bad_pkts ++ ; // 

too-short UDP 

host[ hs ]. alerts |= SHORT_UDP ; // 

too-short UDP 

log_pkt = 1 ; 

record_probe( hs, des_addr, des_port ) ; 
pthread_mutex_lock( &mp_pairs) ; // ### lock scans[], 

scan_pair( src^addr, des^addr, 

SHORT_UDP_SCAN, des_port) ; 

pthread_mutex_unlock( &m^_pairs) ; // ### unlock scans[], 

else host[ hs ].bytes_ot += bytes ; // TCP, data bytes 

only 

if(( ip_buf[8] < 2 ) && des_addr) { // TTL expiring, TCP, 
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UDP, OR ICMP, ignore b'cast to 0.0.0.0 

host [ hs ] .traces ++ ; 

host[ hs ]. alerts |= TRACE_ALERT ; // icmp timeouts 

are ignored 

log_pkt = 1 ; 

record_probe( hs, des_addr, src_addr ) ; 
pthread_mutex_lock( &mp_pairs) ; // ### lock scans [] , 

if (transport == 6) scan_pair( src_addr, des_addr, 

tcp_to, des_port) ; 

if (transport == 17) scan_pair( src_addr, des_addr, 

UDP_TO, des_port) ; 

pthread_mutex_unlock( &m^_pairs) ; // ### unlock scans[] f 
} 

// ============ END - LOOKING FOR PATHOLOGICAL PACKETS 

========== // 



if( hd ) { 

host[ hd ] .bytes_in_pp += bytes_hdr ; // bytes_in_pp is 
bytes in per period (O'ed every 5 min.) 

host[ hd ].pkts_in ++ ; 

if( transport == 17) { // UDP 

host[ hd ].udp_bytes += bytes_hdr; // total UDP, in 

and out, includes header bytes 

host[ hd ].bytes_in += bytes Jidr ; 
else host[ hd ].bytes_in += bytes ; // TCP 

} 

if ( src_addr < des_addr ) { // ipO is the smaller IP addr 
ipO = src_addr ; portO = src_port ; 

ipl = des_addr ; portl = des_port ; 
hO = hs ; hi = hd ; 

} else { 

ipl = src_addr ; portl = src_port ; 
ipO = des^addr ; portO = des_port ; 
hO = hd ; hi = hs ; 

} 

if( (n_slot = find_slot(ipO, ipl, portO, portl)) == 0) { // ##### 
Find slot in Flow data structure 

printf(" *** Flow Data Full np: %u, scanjiax: %u, 
ip: %u, pt: %u, ipl: %u, ptl: %u\n M , 

np , scan_max , i pO , portO , i pi , portl) ; 

goto read_next ; 



#ifdef CHECK_INDEX 
np, t_run ) ; 

#endif 

WATCH_HOST)) { 
AND ALL PACKETS 



if(n_slot > SLOTS ) { 

printf("Bad n_slot: %u, np:%u, t_run: %u\n" , n^slot, 

fflush(stdout) ; 
break ; 

} 

if ((host[hs] .alerts & WATCH_HOST) || (host [hd] .alerts & 

flow[n_slot] .state |= WATCH^FLOW ; // LOG THIS FLOW 



if((scan_max > SCAN_MAX) && (scan_max> flow[n_slot] . scans)) 

{ // === PORT SCAN DETECTION 
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flow[n_slot] .scans = scan_max ; 
log_pkt = 1 ; 



FIRST PACKET 
ALARM_12W ){ 

all flows and pkts 

and FIRST PACKET 
flow[n_slot] -pt[l] 
flow[n_slot] .pt[2] 



if( ! (flow[n_slot] .state & NOT_FlRST_PKT) ) { // this is 

if CC host[ hs ]. alerts | host[ hd ]. alerts) & 

flow[n_slot] .state |= watch_flow ; // log 

} 

if( flow[n_slot] .state & LOOSE == 0 ){ // not LOOSE 



if ( src_addr < des_addr ) { 

flow[n_slot] .state |= ipO_FlRST ; 
flow[n_slot] . service = 



} 

else { 



} 



flow[n_slot 
flow[n_slot 



.state |= ipl_FlRST ; 
.service = 



if( (transport == 6) && ( tcp_buf[13] != 
0x02 ) && (! fjoose )) { // not SYN, 1st packet not seen 

if(( portO != 25) && (portl ! = 25)) 
flow[n_slot] .state |= N0_SYN ; // do not set for Telnet 

} // end - no SYN 
} // not LOOSE 
} // end - 1st packet in flow 
} // end TCP or UDP 

SWitch( transport ) // ACTION FOR DIFFERENT TRANSPORT PROTOCOLS 

case 6 : // *** TCP *** 
n_tcp++ ; 

flags = (unsigned int) tcp_buf[13] | flag_alr[ tcp_buf[13] ] ; // 
look up flag combinations, set bits 0,1,2,3 

ah = (tcp_buf[12] » 2) & 0x3c ; // tcp_buf[ah] == 1st application 

if( ipO == src_addr) { 

flow[n_slot] .pkts[0]++ ; 

flow[n_slot] .bytes [0] += bytes ; // does not include IP hdr 
flow[n_slot] .f lgs[0] |= flags ; 



header byte ; 



>= 4 bytes long 

flow[n_slot] .bin_norm[0] += 1 ; 



if( (rec_len - bothjidr - m - 20) >= 4) { // app. header 
if( flow[n_slot] .bin_norm[0] < Oxffff ) 
else { 



flow[n_slot] .bin_norm[0] = Oxcfff ; 
flow[n_slot] ,binary[0] = 
(flow[n_slot] .binary[0] » 1) + ( flow[n_slot] .binary [0] » 2 ) ; // 3/16 

f 1 ow [n_sl ot] . bi nary [0] += 

(tcp_buf[ah]»7) + (tcp_buf [ah+l]»7) + (tcp_buf [ah+2]»7) + (tcp_buf [ah+3]»7); 
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if C flow[n_slot] .flag_norm[0] < Oxffff ) 
flow[n_slot] .flag_norm[0] += 1 ; // normalize if needed 

else { 

flow[n_slot] .flag_norm[0] = Oxcf ; 
flow[n_slot].flag[0][0] = (flow[n_slot] .flag[0] [0] 
» 1) + ( flow[n_slot] .flag[0][0] » 2 ) 

+ Cflow[n_slot].flag[0][0] & 1 ) ; // keep > 

0 if ever > 0 

flow[n_slot].flag[0][l] = (flow[n_slot] .flag[0] [1] 
» 1) + ( flow[n_slot] .flag[0][l] » 2 ) 

+ (flow[n_slot].flag[0][l] & 1 ) ; 
flow[n_slot].flag[0][2] = (flow[n_slot] .flag[0] [2] 
» 1) + C flow[n_slot].flag[0][2] » 2 ) 

+ (flow[n_slot].flag[0][2] & 1 ) ; 
flow[n_slot].flag[0][3] = (flow[n_slot] . flag[0] [3] 
» 1) + ( flow[n_slot].flag[0][3] » 2 ) 

+ (flow[n_slot].flag[0][3] & 1 ) ; 
flow[n_slot].flag[0][4] = (f low[n_slot] . flag[0] [4] 
» 1) + ( flow[n_slot].flag[0][4] » 2 ) 

+ (flow[n_slot].flag[0][4] & 1 ) ; 
flow[n_slot] .flag[0] [5] = (flow[n_slot] .flag[0] [5] 
» 1) + C flow[n_slot].flag[0][5] » 2 ) 

+ (flow[n_slot].flag[0][5] & 1 ) ; 

// update flag counters when ipO is source 

if( flags & OxffffffcO ) { 

flow[n_slot].flag[0][0] ++ ; // flags » 0x3f// 

SYN-fin et al 

} 



0x01) 
0x01) 
0x01) 



in_slot; 


.flag 


[0] 




[1] 


+= 


;n_siot; 


.flag 


: o ! 




'2 


+= 


in_slot! 


.flag 


0 




! 3 : 


+= 



lags » bj & uxui ; // urgent 

flow[n_slot] .flag[0] [3] += ((-flags » 4) & (flags » 1) & 

// not-ACK & SYN 

flow[n_slot].flag[0][4] += (( flags » 4) & (flags » 1) & 

// ACK & SYN 

flow[n_slot].flag[0][5] += (( flags » 4) & flags & 

// ACK & FIN 

flow[n_slot].flag[0][6] |= (tcp_buf[18] ! tcp_buf[19]) ; // 



URG pointer 



} 

el se 

{ // 



ipl == src_adr 



fl ow[n_slot 
fl ow[n_slot 
fl ow[n_slot 



.pkts[l]++ ; // [1] indicates ip[l] sent 

. bytes [1] += bytes ;// does not include IP hdr 

.figs[l] |= flags ; 



if( (rec_len - both_hdr - m - ah) >= 4) { 

if( flow[n_slot].bin_norm[l] < Oxffff ) 

flow[n_slot] .bin_norm[l] += 1 ; 

else { 

flow[n_slot] .bin_norm[l] = ( unsigned char) 

Oxcf ; 

flow[n_slot] .binary[l] = 
(flow[n_slot] .binary[l] » 1) + ( flow[n_slot] . binary[l] » 2 ) ; // 3/16 

flow[n_slot] .binary[l] += 

(tcpjnjf [ah]»7) + (tcp_buf [ah+l]»7) + (tcp.buf [ah+2]»7) + (tcp^buf [ah+3]»7) ; //add 0-4 

if( flow[n_slot] ,flag_norm[l] < Oxffff ) 
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flow[n_slot] .flag_norm[l] += 1 ; // normalize if needed 

else { 

flow[n_slot] .flag_norm[l] = Oxcf ; 

flow[n_slot] .flag[l][0] = (flow[n_slot] .flag[l] [0] 
» 1) + ( flow[n_s1ot] .flag[l] [0] » 2 ) 

~ + (flow[n_slot].flag[l][0] & 1 ) ; // 3/4 

flow[n_slot].flag[l][l] = (flow [n_slot] .flag [1] [1] 
» 1) + ( flow[n_slot] .flag[l] [1] » 2 ) 

+ (flow[n_slot].flag[l][l] & 1 ) ; 
flow[n_slot].flag[l][2] = (flow[n_slot] .flag[l] [2] 
» 1) + ( flow[n_slot].flag[l][2] » 2 ) 

+ (flow[n_slot].flag[l][2] & 1 ) ; 
flow[n_slot].flag[l][3] = (flow[n_slot] .flag[l] [3] 
» 1) + ( flow[n_slot] .flag[l] [3] » 2 ) 

"" ' ' + (flow[n_slot].flag[l][3] & 1 ) ; 

flow[n_slot].flag[l][4] = (flow[n_slot] .flag[l] [4] 
» 1) + C flow[n_slot] .flag[l] [4] » 2 ) 

+ (flow[n_slot].flag[l][4] & 1 ) ; 
flow[n_slot].flag[l][5] = (flow[n_slot] .flag[l] [5] 
» 1) + C flow[n_slot] .flag[l] [5] » 2 ) 

+ Cflow[n_slot].flag[l][5] & 1 ) ; 

// update flag counters when ipl is source 

if( flags & OxffffffcO ) { 

flow[n_slot] .flag[l][0] ++ ; // flags » 0x3f// 

SYN-FIN et al 

} 



fl ow[n_slot_ 
fl ow[n_slot; 



flow[n_slot] .flag 



.fl ag 
.flag 



1] += (flags » 2) & 0x01 ; // RESET 
t 2] += (flags » 5) & 0x01 ; // URGENT 
! 3] += ((-flags » 4) & (flags » 1) & 



0x01) ; // not-ACK & SYN 

flow[n_slot] .flag[l][4] += (( flags » 4) & (flags » 1) & 

ACK & SYN 

flow[n_slot].flag[l][5] += (( flags » 4) & flags & 

ACK & FIN 

flow[n_slot].flag[l][6] |= (tcp_buf[18] | tcp.buf [19]) ; // 



0x01) ; // 
0x01) ; // 
URG pointe 



data_0 

tcp_buf, rec_len 



} 

// ===== APPLICATION LAYER CHECK ==== 

app_0 = 4 * (tcp_buf[12] » 4 ) ; // TCP options between 20 and 



bothjidr- app_0; // index in 



5 )) log_pkt = 1 ; 
5 )) log_pkt = 1 ; 



// 
// 



break ; 
case 17 



// 
// 

in tcp_buf 



app_len = rec_len - ip_options_l 

all hdrs 
if( app_len >= 5 ) { 

if( ! memcmp( &tcp_buf[ app_0 ], "ISON " 
if( ! memcmp( &tcp_buf[ app_0 ], ":irc." 

host [hs] .server |= IRC ; 
host[hd] .client |= IRC ; 
} // end - app_len > 4 

// end TCP 

II *** UDP *** 
i nt j , k , d ; 

data_0 =8 ; // 1st byte of data in tcp_buf 

data_l = rec_1en - ip_options_l - bothjidr ; // last byte of data 

d = rec_len - ip_options_l - bothjidr - 8 ; 
n_udp++ ; 

if( ipO == src^addr) j = 0 ; // index 'j 1 is source 
else j = 1 ; 
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k = 1 - j ; 



fl ow 
fl ow 



[ruslot] . pkts[i]++ ; 

"n_slot] .bytes [j] += bytes ; //does not include TCP/IP hdr 

if( d <= SHORT_UDP_MAX ) { 

flow[n_slot] .flag [j] [BAD] ++ ; 
log__pkt = 1 ; 

if((flow[n_slot].pt[k] ==7) || (flow[n_slot].pt[k] ==19)) { // 

echo and chargen 

flow[n_slot] .flag [j] [BAD] ++ ; 
log_pkt = 1 ; 

} 

break ; // end of UDP 

case 1 : // *** icmp *** - no flows for icmp 
n_i cmp++ ; 

//char icmp_type[18] [20] = { M Echo_Reply n , "Type_l", "Type_2", "Des_unreach" , 
"Quench", "Redirect", \ 

//"Type_6", "Type_7", "Echo_Req", "Rtr^\dvert" , "Rtr_Solic", "Time_Out M , 
"Param_Prob", \ 

//"Timestamp", "Time.Reply" , "lnfo_Request" , "lnfo_Reply" , "Type_>16"} ; 

if( hs > 0 ) { 

host[hs] .pkts_ot++ ; 

host[hs] .bytes_ot += bytes ; // does not include IP 

hdr 



host 
host 



hs] .bytes_ot_pp += bytes_hdr ; // includes IP hdr 



)ytes_ 
hs] .pkts_ot ++ 
if( tcp_buf[0] == 8 ) { // Echo_Req 

record_probe( hs, des_addr, des_port ) ; // hs is 
source of probe, des_addr is destination 

host[hs] .pings ++ ; 

if( host[hs] .pings > 200 ) { 

host[hs] .alerts |= PING_ALERT ; 
pthread_mutex_lock( &mp_pai rs) ; // ### lockscans[], 

//xx scan_pair( src_addr, des_addr, ping_scan, 0) 

; // ping probe 

pthread_mutex_unlock( &m^_pai rs)^ ; // ### unlock scans[], 
} 

if( hd > 0 ) { 

host [hd] . pkts_i n++ ; 

host[hd] .bytes_in += bytes ; // does not include IP 



hdr 



host[hd] .bytes_in_pp += bytes_hdr ; // includes IP hdr 
host[hd] .pkts_in ++ ; 



if( tcp_buf[0] == 0 ) { // Echo_Reply 
host[ hd ] .pings ++ ; 

record_probe( hd, src_addr, des_port ) ; // hd is 
source of probe, src_addr is destination 

if( host[hd] .pings > 100 ) { 

host[ hd ]. alerts |= PING^lert ; 
//xx pthread_mutex_lock( &mp_pairs) ; // ### lock scans[], 

//xx scan_pair( des_addr, src_addr, PING_SCAN, 0) 

//xx pthread_mutex_unlock( &mp_pairs) ; // ### unlock scans[], 

if( tcp3uf[0] } == 3 ) { 
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host[ hd ]. rejects ++ ; // Des_unreach 
log_pkt = 1 ; 

record_probe( hd, src_addr, des_port ) ; // hd is 
source of probe, src_addr is destination 

} // end - des unreachable 

if( tcp_buf[0] == 11 ) { // Time-out 

Notice 

register unsigned int d_ip, i_pt ; 
register unsigned short d_pt ; 
host[hd] .traces ++ ; 

d_ip = s2i( &tcp_buf[ 24 ] ) ; // original 

destination in ICMP 8 + ip2[16] 

i_pt = 10 + 4*(tcp_buf [8] & OxOf) ; // index in 
tcp_buf to original src port number 

d_pt = 256 * tcp_buf[ i_pt ] + tcp_buf [ i_pt + 1] ; 

record_probe( hd, d_ip, d_pt ) ; 

if( host[hd] .traces > 100 ) { 
pthread_mutex_lock( &mp_pairs) ; // ### lockscans[], 

scan_pair( des_addr, d_ip, ICMP_T0, 0) ; // 

20 + length of IP header 

pthread_mutex_unlock( &m^_pairs)^; // ### unlock scans[], 

} // end hd > 0 

// data_0 = 8 ; 

// data_l = rec_len - ip_options_l - both_hdr ; // last byte of data in 

tcp_buf 

break ; // end of ICMP 

default: not_tui++ ; // count packets not TCP, UDP, or ICMP 

(discarded) 

} // end of switch on ip_buf[9] - layer 4 protocol 



// ============================== READ NEXT PACKET RECORD 



read_next : 

; // log all flows and pkts 

if(f_demo || log_pkt || flow[n_slot] .state & watch_flow ) { 

fwrite( snp_buf, sizeof (char) , 24 , log_pkt_file) ; // 

write tcpdump packet header 

fwrite( lan_buf, sizeof (char) , lan_hdr , log_pkt_file) ; // 

write tcpdump LAN header 

fwrite( ip^buf , sizeof (char) , tcp_all , log_pkt_file) ; // 

write tcpdump IP & TCP header 

if( f_verbose == 3 ) { printf(" Pkt %u done at %u\n", np, t__run ) ; fflush(stdout) 

pthread_mutex_unlock( &mp_hosts) ; // ### unlock hosts [] 
pthread_mutex_unlock( &mp_flows) ; // ### unlock flows [] 



if(f_file) { // timing control for FILE 

INPUT 

if( t_run > t_pause ) { 

if( f_verbose == 2) printf (" . ") ; // should be 30 

. 1 s then \n 

t_pause += 3 ; 
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if((t_run + t_zero) > t_next_cf) { 

t_next_cf += CLASS_FLOW_INT ; 

if( f_verbose == 2) printf ("\n") ; 

fflush( stdout ) ; 

pthread_mutex_unlock( &mp_class_flow ) ; // clear 

and continue 

if( f_verbose == 2) printf ( " ## process_pkts - 
blocking for other threads. ##\n" ) ; fflush( stdout ) ; 

sleep(2) ; // give class_flows() a chance to run 
pthread_mutex_lock( &mp_class_flow ) ; // block 

until class_flow() is done 

} 

} // end f_file true 

n = fread( (void *) snp_buf, 4, 6, infile) ; // read 

snoop record header into snp_buf[ ] 

if( n<6) { printf ("\nEOF at Packet %u\n", np) ; break ; } 

read_ip_buf : 

if( snoop ) { // snoop 

rec_len = ((unsigned long) snp_buf[8] « 24) | ((unsigned long) 
snp_buf[9] « 16) | \ 

((unsigned long) snp_buf[10] « 8) | 

(unsigned long) snp_buf[ll] ; 

t_read = ((unsigned long) snp_buf [16]«24) | ((unsigned long) 
snp_buf[17] « 16) I \ 

((unsigned long) snp_buf [18]«8) I (unsigned long) 

snp_buf[19] ; 

} else { // tcpdump 

rec_len = ((unsigned long) snp_buf[ll] « 24) | ((unsigned long) 
snp_buf[10] « 16) | \ 

((unsigned long) snp_buf[9] « 8) | 

(unsigned long) snp_buf[8] + 24 ; 

// tcpdump does not 

include it's 24 

thread = ((unsigned long) snp_buf[3] « 24) | ((unsigned long) 
snp_buf[2] « 16) | \ 

((unsigned long) snp_buf[l] « 8) I 

(unsigned long) snp_buf[0] ; 

if( rec_len > snp_rec_max ) { 

printf ("\n*** FILE OUT OF SYNC *** after %u, rec_len %u, not 
%u\n\n", np, rec_len, snp_rec_max) ; 

break ; 

n = fread( (void *) lan_buf, 1, lan_hdr , infile); // read ip+tcp or 
UDP header into lan_buf[ ] 

if ( n < lan_hdr ) { 

printf ("EOF after Packet %u", np) ; 

break ; 

tcp_all = rec^len - both_hdr ; 

n = fread( (void *) ip_buf, 1, tcp_all , infile) ; // read ip+tcp 
header into ip_buf[ ] 

if ( n < tcp_all ) { 

printf ("EOF after Packet %u\n", np) ; 

break ; 

} 

np++ ; 
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//if C (np % 100000) == 0 ) { printfC .\008") ; fflush(stdout) ; } // progress dots 
// t_check = time(NULL) ; 

// printf("np: %u, n_flow: %u, active: %u, max: %u, t_run: %u, Real t: %u\n", 
// np, ruflow, n_active, n_active_max, t_run, (t_check - 

t__now)) ; ///debug 
// fflush(stdout) ; 

} // ##################### break -> END OF LOOP TO READ PACKETS 

######################### 

if( (f_file == 0 ) && (running == l ) ) { // === try TO restart tcpdump 
printf( "\n ### TCPDUMP STOPPED SENDING DATA, will try to restart, np: %u, t_run: %u 
sec\n\n",np,t_run) ; 

fclose( infile ) ; 

for( i = 0 ; i < 3600 ; i++ ) { 

if( running != 1 ) break ; 

if( start_tcpdump( ) == 0 ) { // returns '0' if tcpdump 

restarted successfully 

n = fread( (void *) snpjidr, 4, 6, infile) ; // 

read new file header 

goto restart_here ; 

else sleep( 24 ) ; 
fclose( infile ) ; 

} // end if f_file == 0 -> realtime 

running = 2 ; // RESTART NOT SUCESSFUL, or f_file, => close all threads 

// if( f_file) pthread_mutex_unlock( &mp_class_flow ) ; // clear and let 

process_pkts continue 

printf ("Thread process_pkts ending at t: %u, np: %u\n", t_run, np) ; 
return ; 

} // ### end process_pkts ### 

int start_tcpdump( void ) // ==================== START (and RESTART) TCPDUMP 

_ 

FILE * tmpfile ; 

register int i , j ; 

char c, command [200] , select [120] ; 

if( setuid(O) != 0 ) { 

printf ( " ### CAN NOT SETUID(O) and START tcpdump - 

TERMINATING ###\n") ; 

return( 1 ) ; 
sprintf (command, "date\n") ; 

printf C" system commands: %s", command) ; // this will 

print date and time 

system(command) ; 

kill_tcpdump() ; // kill any present instance of tcpdump 
sleep(l) ; 

spri ntf (command , M /usr/bi n/mkf i fo myf i fo M ) ; 

printf (" : %s\n", command); // this will create a new 



"myfifo" 
interface ethl 



if( system(command) ) printf (" #### FAILED ####"); // reset 



sprintf (command, M /sbin/ifconfig ethl down promise up"); 

printfC : %s\n", command) ; // reset ethl to promiscuous 

and start it up 

if( system(command) ) printf (" #### FAILED ####"); // reset 
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interface ethl 

sprintf(command,'7bin/nice -20 /usr/sbin/tcpdump -lni ethl -s 120 -w myfifo 'ip' 
l»log_tcpdump 2»log_tcpdump &"); 

printfC" : %s\n", command) ; // kill( (pid_t) k, SIGQUIT ) ; 

sleep(l) ; 

if( o == system(command)) { // start 'tcpdump 1 on interface ethl 
if((infile = fopen ("myfifo" , "rb")) !=NULL) { // OPEN 
input FILE // File opening for input from TCPDUMP 

printfC tcpdump started SUCESSFULLY.\n") ; 
return( 0 ) ; 

} 

printfC" tcpdump start or 'myfifo 1 OPEN - failed. \n") ; 
return( 1 ) ; 
} // end start_tcpdump 

void kill_tcpdump( void ) { 
i nt i , j , k ; 

char command [100] , select [100], c ; 
FILE *tmpfile ; 

system("/bin/ps -e | /bin/grep 'tcpdump 1 > tempf kiebtj" ) ; // 

see if TCPDUMP running 

if( (tmpfile = fopen("tempfkiebtj" , "r")) != NULL) { 

for( i = 0 ; i < 99 ; i++ ) { 

if( C (c = getc(tmpfile)) != EOF) && ( c >= 32) ) { 
select[i] = c ; 

else { 

select [i] = 0 ; 
break ; 

} } 
fclose(tmpfile) ; 

systemC/bin/rm -f tempfkiebtj") ; 



end, if any 



select[i-7] ==■')){ 



while( (select [i] <= 1 ') && (i > 0) ) { // remove spaces at 
select [i] = 0 ; i-- ; 

} 

if( (i>7) && ( 0 == strcmp("tcpdump", &select [i -6])) && ( 

= -l ; 



1 = -l ; 

for( i = 0 ; i < 99 ; i++ ){ 

if((select[i] == 1 ') && (j >=0)) { 
select[i] = 0 ; 
break ; 

if((select[i] != 1 ') && (j < 0)) j = i ; 

k = atoi (&select[j]) ; 

if( (k > 0 ) && ( k <= 99999) ) { 

sprintf (command, "/bin/kill %d", k) ; 
printf(" system command sent to kill 
tcpdump: %s ", command) ; // kill( (pid_t) k, SIGQUIT ) ; 

if( system(command) ) printfC #### FAILED 
####\n"); // kill tcpdump, if necessary 

else printfC — SUCCESS — \n"); 
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} 



} 
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sleep(l) ; 



still running 



} // if file tempfkiebtj opened - tcpdump now "killed" if it was 



sprintf (command, "/bin/rm -f myfifo"); 

printf (" : %s command) ; // this will remove "myfifo" 

(and junk still in it) 

if( system(command) ) printf(" #### FAILED ####\n"); // reset 

interface ethl 

else printf(" --- SUCCESS — \n"); 
} // end - kill_tcpdump() 



void usage( void ) { 

printf ("\nusage: lancope in-file out-file flags\n"); 

printf(" Output file extension should be .csv for staroffice, .txt for 
Excel\n"); 

printf (" output file = '- f means date-derived file, yymmddhh.txt , e.g. 
1 00081515. txt\n" ); 

printf (" Flags: d = dotted decimal, e = encrypt local IPs, a = write all 
flows\n"); 

printf (" 
alert & traffi c\n") ; 

printf (" n = no-read old profiles\n M ) ; 

printf (" A file, * lancope_config.txt' must be in the default directory 
with config info\n"); 
exit(-l) ; 

} 



f = input from file, s = split_path, o = demo, all on 



unsigned long s2i (unsigned char bb[4]) //msB first string to uns long int 

unsigned long j ; 
j = ((unsigned long) bb[0]) « 24 
((unsigned long) bb[2]) « 8 
return(j) ; 
} //end s2i() 



((unsigned long) bb[l]) « 16 | \ 
((unsigned long) bb[3]) ; 



b2i (unsigned char bb[4]) //IsB first string to uns long int 



unsigned long 

unsigned long j ; 
j = ((unsigned long) bb[3]) « 24 
((unsigned long) bb[l]) « 8 
return(j) ; 
} //end b2i() 



((unsigned long) bb[2]) « 16 I \ 
((unsigned long) bb[0]) ; 



long find_slot( unsigned long ipO, unsigned long ipl, long portO, long portl) 
// returns 0 if no slot available, i if entry exists // mp_flows LOCKED 

{ 

unsigned long x, i, i_mark, n, index, h, flows_max = SLOTS, unlock = 0 ; 

int hi hi = 0 , ftp_server = 0 ; 

if(! pthread_mutex_trylock( &mp_flows ) ) { 

printf (" ### find_slot() without mutex m_flow being set. t: 
%u, Running: %u\n" ,t_run, running) ; 

unlock = 1 ; 

} 
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x = ipO a (ipl«ll)A(i p i»21) ; //*** make index from DA, SA, check Port 
index = x ; 

for (i = SHIFT ; i < 32 ; i += SHIFT ) { 
x = x » SHIFT ; 

index a= x ; // XOR bytes together 

index = index & MASK ; // limit to right SHIFT bits 
index++ ; // index can be 1 to 2An +1 

// — look for matching connection or first empty slot 
scan_max = 0 ; // count max ports connected 
if(( portO > 1023) && (portl > 1023)) hihi = 1 ; 

( portO == 20 )) ftp_server = 1 ; 
( portl == 20 )) ftp_server =2 ; 



if(( portO == 21) | 
if(( portl == 21) 



if( flow [index] .root) { // root not empty, run through list, look for 
matching flow 

i = flow [index] . root ; 
do { 

register int nomatch, type ; 
nomatch = 1 ; // test match below 

if( (flow[i].ip[0] == ipO) && (flow[i ] .ip[l] == ipl) ) { // 
nomatch if IP's different 

scan_max++ ; //max ports open 

ipO-ipl 

type = ( flow[i] .state » 1 ) & 3 ; // type = 0, 1, 

2 

if C(flow[i] .service & HI_HI)&&(! (flow[i] .service & 

FTP_ANY) )) { 

if( ftp_server == 1 ) flow[i] . state |= FTP_SER_0 ; 
// new flow is marked for FTP_0/1 

if( ftp_server == 2 ) flow[i] . state |= FTP_SER_1 ; 
// and the old one has high-high ports 

if(( hihi ) && (! ftp_server)) { 

if(flow[i] .state & FTP_SER_0) ftp_server = 1 ; // 
old flow is marked for ftp_0/1 and 

if(flow[i] .state & FTP_SER_1) ftp_server = 2 ; // 

the new one has high-high ports 

} // end - if FTP check 

switch ( type ) { 
case 0 : 

if( (flow[i] .pt[0] == portO) && 
(flow[i] .pt[l] == portl) ) { // exact port match 

nomatch = 0 ; 
break ; 

if( flow[i].pt[l] == portl) { 
nomatch = 0 ; 

flow[i] .state |= 0x2 ; // type => 1 



ipl is Server, ipO is client 
flow[i] .pt[0] ; 
flow[i] .pt_min = portO ; 
flow[i] .pt_max = portO ; 
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flow[i] .pt_min = flow[i ] . pt_max = 
if( portO < flow[i] .pt_min ) 
if( portO > flow[i] .pt^max ) 
break ; 



ipO is Server, 
flow[i].pt[l]; 
flow[i] .pt_min 
flow[i] .pt_max 



ipl is client 

= portl ; 
= portl ; 



flow[i] ,pt_min 
flow[i] . pt_max 



flow[i] .pt_min 
flow[i] .pt_max 



list, no match 



portO 
portO 



portl 
portl 



} 
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if( flow[i] .pt[0] == portO) { 
nomatch = 0 ; 

flow[i] .state |= 0x4 ; // type => 2 
flow[i] .pt_min = flow[i ] . pt_max = 
if( portl < flow[i] ,pt_min ) 
if( portl > flow[i] ,pt_max ) 
break ; 

} 

break ; 
case 1 : // ipO is client 

if( flow[i].pt[l] == portl) { 
nomatch = 0 ; 

if( portO < flow[i] .pt_min ) 
if( portO > flow[i] .pt_max ) 
break ; 

} 

break ; 
case 2 : // ipl is client 

if( flow[i] .pt[0] == portO) { 
nomatch = 0 ; 

if( portl < flow[i] .pt_min ) 
if( portl > flow[i] .pt_max ) 
break ; 

} 

break ; 
} // end switch( type ) 



if( nomatch ) { 

if( (flow[i].up)) { 

i = flow[i] .up; 

} else { 

break ; // break out of while(l) 

} 



end of 



} else { // there was a match 

goto update_flow ; // slot for flow already exists 

} while( 1) ; // break out (goto) when end of list or match found 



i_mark = i 



// index of last entry in list - new HOST ENTRY 



for( n = 0 ; n < RANGE ; n++) { 
i += 5 + n ; 

if( i >= SLOTS ) i = i - SLOTS + 1; // can not use i = 0 
if (flow[i] .down == 0 ) { // empty, use for new entry 

flow[i_mark] .up = i ; 

flow[i].down = i_mark ; 

goto new_flow ; 
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flows [] 



n_full++ ; 

if( unlock ) pthread_mutex_unlock( &mp_flows) 



// ### unlock 



} 



return( 0 ) 



// flow data sub-structure full 



else { // flow[index] . root == 0, search for any empty slot for new 
ENTRY, 1st for this ipO-ipl 
i = index ; 

for( n = 0 ; n < RANGE ; n++) { 
i += 5 + n ; 

if( i >= SLOTS ) i = i - SLOTS + 1; // can not use i = 0 



if (fl ow[i 
f 
f 



.down == 0 ) { 
ow [index] . root = i 
ow[i] .down = index 



} 



} 



goto new_flow; // new leaf 



flows [] 



n_full++ ; 

if( unlock ) pthread_mutex_unlock( &mp_flows) 



// ### unlock 



} 



return( 0 ) 



// flow data sub-structure full 



new_fl ow: 



n_f 1 ow++ ; 
n_active++ ; 

if( n > n_max) n_max = n 



f low[i 
flow[i 
flow[i 
flow[i 
fl ow[i 
fl ow[i 
fl ow[i 
if( f_ 



, up 

ip" 

,ip 

pt 
Pt 



= 0 
= ipO 
= ipl 
= portO 
= portl 



// check hash efficiency 



start = t_run 

.state = transport & 0x1 ; // 0 -> TCP, 1 -> UDP, Type = 0 
oose) flow[i] .state |= LOOSE ; 



if( ftp_server ) { 

flow[i] .service = 21 ; 
if( ftp_server == 1) flow[i] .state 
if( ftp_server == 2) flow[i] . state 

if( hi hi ) flow[i] .state |= HI_HI ; // 
update_flow: 

flow[i].last = t_run ; 

if( unlock ) pthread_mutex_unlock( &mp_flows) 
return( i ) ; 

// end find_slot() 



= FTP_SER_0 
= FTP_SER_1 



// set bit 
// set bit 



// ### unlock flows [] 



} 

void 
#### 
// 



class_flow( void ) { // ####### CLASSIFY FLOW ###locks flows, then hosts 



unsigned int i, j, k, n, si = 0, udp, error_count = 0, alarmsO = 0, hO = 0 ; 
unsigned long h ; 

unsigned int ppsO, ppsl, flows_ended, n^fprint, mm^bit, mcast_bit, odd^bit, 
bcast_bit, wai ; 

char reason [20] ; 

time_t t_here, t_next_prof ; 

int this_hour, last^hour, clear ; 



t_wa_last = t_zero 
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// bit for multimedia , 

// bit for multicast service, 

// bit for broadcast service, 

// bit for odd service, 
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mmjrit = port_mask[ 2 * UDP_PORT_OFFSET +1 ] 
psedo-port = 2049 

mcast_bit = port_mask[ 2 * udp_port_offset +2 ] 
psedo-port = 2050 

beast _bit = port_mask[ 2 * UDP_PORT_OFFSET +3 ] 
psedo-port = 2051 

odd_bit = port_mask[ 2 * UDP_PORT_OFFSET +4 ] 
psedo-port = 2052 
printf ("Thread class_flow start at t: %u, np: %u, flows: %u\n M , 

(unsigned int) *(&t_run), (unsigned int) *(&np) , (unsigned 

int) *(&n_flow) ) ; 

if( *(&running) == 1 ) { 

unsigned int cfi = CLASS_FLOW_lNT ; // cfi = 30 s 
unsigned int wai = WEB_ALERT_INT ; // wfi = 900 
t_next_cf = *(&t_zero) + 0.5 * cfi ; 

t_next_cf = t_next_cf + cfi - (t_next_cf % cfi) ; // moves to 
nearest even value 

t_next_web = t__zero + 1.5 * wai ; 

t_next_web -= ((t_next_web % wai) + 2) ; // moves to nearest even 

value * wfi 

t_next_prof = t_next_web + 0.5 * wai - 2 ; // save profiles between 

web_alert calls 

// t_bs_last = t_zero ; // moves to nearest even value * 

TR A F_T A B L E__M I N 
} 

// printf (" class_flow() - t_run: %u, tjiere: %u, t_next_cf: %u, t_next_web: 
%u\n", 

// *(&t_run), *(&t_run) + t_zero , t_next_cf, t_next_web) ; 

// fflush( stdout ) ; 

last_hour = 100 ; // will be initial set later - hour of the day, 1-23 

while( running) { // 'running' == 1: loop, 'running 1 == 2: execute once and return 
register unsigned int hostO , alarmO, age ; 

if( f.file) { 

sleep(2) ; 

if( f_verbose == 2) printf ("Class_Flow approching mutext lock. 
t_run: %u\n", *(&t_run) ) ; 

fflush( stdout ) ; 

pthread_mutex_lock( &mp_class_flow) ; // ### block process_pkts() 

if( f_verbose == 2) printf ("Class_Flow passed mutext lock. 
t_run: %u\n", *(&t_run) ) ; 

fflush( stdout ) ; 

} 

if( f_file) tjiere = *(&t_run) + t_zero ; // t_run always starts at 1 
else t_here = time( NULL ) ; // if realtime, use real time 

while((t_here < t_next_cf) && (running == !)&&(! f_file) ) { 

sleep(l) ; // stall if running == 1, then check 'running 1 and 
(tjiere < t_next_cf) 

if( fJMle) tjiere = *( &t_run ) + t_zero ; 
else t_here = time( null ) ; 
if( tjiere >= t_next_cf) break ; 

if( f_file == 0) t_run = t_here - t_zero ; 

if( running == 0 ) break ; 
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t_next_cf += CLASS_FLOW_INT ; 
if (f_verbose) { 

printf("* Thread class_flow operating at t: %u, next: %u, np: %u, 

flows: %u\n", 

t_here - t_zero, t_next_cf - t_zero, (unsigned int) *(&np), (unsigned 
int) *(&n_flow)) ; 

if(f_verbose > 1 ) fflush( stdout ) ; 

n_f print = flows_ended = 0 ; 

for( i = 1 ; i < SLOTS ; i++ ) { 

unsigned long quiet, p, h[2] ; 
int s[2] , c[2] , list ; 

// s/C determined by SYN's and SYN-ACK's 

if (flow [i] .down) { // flows that exist 
pthread_mutex_Jock( &mp_flows) ; // ### lock flows [] 

if (flow [i] .down) { // confirm after locking 



reason [0] = 0 ; 
clear = 0 
quiet = 70 
age = 30 
list = 0 
if( flow[i] 
port_name 

else udp = 0 ; 



// udp and tcp single die if quiet > 20 sec 
state & udp_flow) udp = udp_port_OFFSET ; // index offset for 



i]. state & udp_flow)) && (flow[i] .pkts[0] > 
) && 

.pkts[l] > flow[i] .flaq[0][RST]) ) quiet = FLOW_DEAD ; 
// if TCP and packets in + packets out > resets returned wait flow_dead 
(300 s) 



if( (!(flow 
flow[i] .flag[l] [RST 
(flow[i 



if( ( t_run > ( flow[i].last + quiet ) ) II (running==2) ) { // if flow has 
been silent for 'quiet 1 seconds 

flows_ended++ ; 

clear = 1 ; 
} // end - check to 'clear 1 

// ============== CHECK FOR PROBES AFTER 'AGE 1 ====================// 

if(( ! (flow[i] .state & ATTACK_CHK ) ) && (t_run > (flow[i] .start + age)) ){ 

register long int sa = 0, da = 0 ; // If flow NOT classified, and 

'old 1 , check for probes 

unsigned char probe_type = 0 ; 
unsigned short probe_port = 0 ; 

pthread_mutex_lock( &mp_hosts) ; 

flow[i] .state |= attack_CHK ; // set so we check once only 

for( j = 0 ; j <= 1 ; j++ ) { 
k = 1 - j ; 

Krobe_type = 0 ; 
[j] = find_host( flow[i] .ip[j] , flow[i] .bytes [j] ) ; // h[j] -> 
ip[j], may be '0' if slot does not exist 
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if(! (flow [i] .state & UDP_FLOW)){ // TCP - check for probes 
if( flow[i].pkts[j] && ( (flow[i].pkts[k] 
flow[i].flag[k][RST] ) | I 

(flow[i].pkts[j] == flow[i].flag[j][BAD]) || 

(flow[i].pkts[k] 0 )) ) { 

probe_type = tcp_probe ; 
} }// end - TCP probe check 

else if( flow[i].flag[j][BAD] + flow[i] .flag [k] [RST] ) { // udp 
Check RST means ICMP port unavailable 

probe_type = udp_probe ; 
} // end - UDP probe check 

if( probe_type && h[j]) { 

list = 1 ; strcat( reason, "Probe ") ; 

record_probe( h[j], flow[i] .ip[k] , flow[i] .pt [k]) ; // h[j] 
is source index of probe, 'k' is destination ip 
pthread_mutex_lock( &mp_pairs) ; // ### lock scans[], 

scan_pai r( flow[i] .ip[j] , flow[i] .ip[k] , probe_type, 
flow[i].pt[k] ) ; // ip[j] hit ip[k]:pt[k] 
pthread_mutex_unlock( &mp_pairs) ; // ### unlock scans [] , 

flow[i] .state |= ( PROBE | CLASSIFIED ) ; // flow has been 
classified as "probe" 

} // end - probe_type > 0 
} // end - j = 0,1 

// ========================= check FOR attacks after ' of age 1 

if((!udp) && (! (flow [i] .state & ATK_PROBE))){ // if TCP - check for 
half -open attack 

for( j = 0 ; j <= 1 ; j++ ) { 
k = 1 - j ; 

if(( flow[i].pkts[j] > 16 ) && ( flow[i].flag[j][SYN] > 
(0.75 * flow[i].pkts[j] )) && 

(flow[i].flag[k][S_A] > 4) ) { //if half-open 
attack, 'j' attacking 'k' ti 

list = 1 ; strcat( reason, "HO_Attack ") ; // will 
list only if clear is set for this cycle 

if( h[j] ) { 

record_probe( h[j], flow[i] .ip[k] , 
flow[i] .pt[k]) ;// h[j] is source of probe, des_addr is destination ip 

host[ h[i] ]. alerts |= ho_attack ; 

host[ h[j] ]. concern += ho_attack_init_CI ; 

} // end - findJiostO ok 
pthread_mutex_lock( &mp_pairs) ; // ### lock scans[], 

scan_pair( flow[i] .ip[j] , flow[i] .ip[k] , half^open, 
flow[i] .pt[k]) ; // type 8 -> circle packet 
pthread_mutex_unlock( &mp_pairs) ; // ### unlock scans[], 

flow[i] .state |= ( classified | attack ) ; // flow 

has been classified as "attack" 

} // end - Half -Open Attack found 
} // end - for i = 0,1 and k = 1,0 
} // end - check for ha If -open (lots of SYN's evoking syn-ack's) 

?thread_mutex_unlock( &mp_hosts) ; 
// end - #### check for probes & attacks after 'age 1 #### 

// ===================== end-OF-life flow 

classification ===================== // 

if( (!(flow[i]. state & classified)) && clear ) { // ### classify flow, - determine 
server/client ### 

c[0] = c[l] = s[0] = s[l] = 0 ; 
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pthread_mutex_lock( &mp_hosts) ; 

h[0] = find_host( f low[i] . ip[0] , flow[i] .bytes [0] ) ; // h[j] -> ip[j], may 
be '0' if slot does not exist 

h[l] = find_host( flow[i] .ip[l] , flow[i] .bytes [1] ) ; 

if (f_verbose==4) { 

printf(" -- Flow Ended. t_run: %u, Flow[%u] .last: %u, quiet: %u, 
t[NOW]-t_zero: %u\n" , 

t_run, i, flow[i] .last, quiet, t_here - t_zero ) ; 
printf( H -- Type:%u, FTP: %x, PortO: %u, Portl: %u, Serv: %u, Pmin: %u, Pmax: %u, 
synO: %u, saO: %u, synl: %u, sal: %u\n" , 

(flow[i] .state & 6) » 1, (flow[i] .state & FTP_ANY) » 12, 
flow[i] .pt[0] ,flow[i] .pt[l] ,flow[i] .service,flow[i] .pt_min, 

flow[i] .pt_max, flow [i] .flag [0] [SYN] ,flow[i] .flag[0] [S_A] , flow [i] .flag [1] [SYN] ,flow[i 
l.flag[l][S_A] ) ; 

for( j = 0 ; i <= 1 ; j++ ) { // ##### TCP - Check ip[j] for Port Probing based 
on flow data for LOOSE flow ##### 

k = 1 - i ; 

if( h[j]3 { 

if(flow[i] .state & LOOSE) { // LOOSE === Handle case where not 
all packets have been seen 

if(flow[i] .scans >= scan_max) { 

if(flow[i].flag[k][RST] >= (flow[i] .pkts[k] /2 + 2)) 
{// if the other guy sent many resets 

host[h[j]] .pt_scans++ ; 
list = 1 ; strcat( reason, ,, Pt_Scan2 ,, ) ; 
flow[i] .state |= probe ; 
record_probe( h[j], 

flow[i] .ip[k] ,flow[i] .pt[k] ); // h[j] is source index of probe, des_addr is 
destination ip 

pthread_mutex_lock( &mp_pai rs) ; // ### lock scans[], 

scan_pair( flow[i] .ip[j] , flow[i] .ip[k] , 
TCP_PORT_SCAN , 0 ) ; // ip[i] hit multi -ports 

pthread_mutex_unlocK( &mp_pairs) ; // ### unlock scans[], 
} } } 

else { // not LOOSE 

if((flow[i] .scans >= SCAN_max) || (flow[i] .flag[k] [RST] == 
flow[i] .pkts[k])){ // >SCANMAX or all RSTs 

if(flow[i].flag[k][RST] >= (flow[i] .pkts[k] /2 + 1)) 
{// if the other guy sent more resets 

host [h [ j] ] . pt_scans++ ; 
list = 1 ; strcatC reason, "Pt_Scan2 ") ; 
flow[i] .state |= PROBE ; 
record_probe( h[j], flow[i] .ip[k] , 
flow[i] .pt[k]) ; // h[j] is source index of probe, 'k 1 is destination ip 
pthread_mutex_lock( &mp_pairs) ; // ### lock scans[], 

scan_pair( flow[i] .ip[j] , flow[i] .ip[k] , 
TCP_PORT_SCAN , 0 ) ; // ip[i] hit ip[k]:pt[k] 

pthread_mutex_unlock( &mp_pairs) ; // ### unlock scans[], 
} } 

} // end - not LOOSE 

} // end - h[j] 

} // end - j=0,l k=l,0 TCP check for Port Probes, not atk_probe 

if( flow[i] .state & ftp_any ) { // ===== ftp ========== // 

if( flow[i] .state & FTP_SER_0) s[0] = c[l] = 1 ; 

else if C flow[i] .state & ftp_ser_1) s[1] = c[0] = 1 ; 

} // end ftp 
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else { // not ftp 

for( j = 0 ; j <= 1 ; j++ ) { 
k = 1 - j ; 



if( (!flow[i] .flag[j][SYN]) && (!flow[i] .flag[k] [s_A]) 

-" "i].flag[i][S_A] || flow[i].flag[k][SYN])) { 
s[j] = 1 ; c[k] = 1 ; // ipCj] 



is server, ip[k] is Client based on flags 

} //flag-3 is SYN, flag-4 is syn-ack (S^) 

if( ! (flow[i] .state & 0x6)) { // type 0 - both ports constant 
if( c[j] == 1 ) flow[i] .pt_min = flow[i] .pt_max = 
flow[i] .pt[j] ; // ipO is client 

}// end - j = 0,1 k=l,0 

// S/C determinded by flow Type for UDP and TCP (if not FTP) 
if( flow[i] .state & 0x2 ) c[0] = s[l] = 1 ; // type 1, ipO is client. 
Disagree with flags -> port scan 

if( flow[i] .state & 0x4 ) c[l] = s[0] = 1 ; // type 2, ipl is client 

if( (! udp) && (flow[i] .state & LOOSE) && (! c[0]) && (! s[0]) ) { // loose 
-> syn and s-a may be lost 

if( (flow[i] .pt[0] < LOW_PT_MAX ) && (flow[i] .pt[l] >= LOW_PT_MAX )) 

{ s[0] = c[l] = 1 ; } 

if( (flow[i] .pt[l] < LOW_PT_MAX) && (flow[i] .pt[0] >= LOW_PT_MAX )) 

{ s[l] = c[0] = 1 ; } 

if((flow[i] .pt[0]==22) | | (flow[i] .pt[0]==37) | | (flow[i] .pt[0]==53)) 

s[0] - c[l] - 1 ! f((f1ow[i] ipt ri] == 22)| |(flow[i] .pt[l]==37)| | (flow[i] .pt[l]==53)) 
s[l] = c[0] = 1 ;// ssh (22) - low client numbers 

if((flow[i] .pt[0]==512) | | (flow[i] .pt[0]==513) | | (flow[i ] . pt[0]==514)) 
s[0] = c[l] =1 ; // login, sh, prt also 

if ((flow[i] .pt[l]==512) | | (flow[i] .pt[l]==513) | I (flow[i] .pt[l]==514)) 
s[l] = c[0] = 1 ; 

if (f_verbose==4) { 

printf(" -- Before. sO: %u, cO: %u, si: %u, cl :%u", s[0], c[0] 

,s[l], c[l] ) ; 
} 

// Last_Resort to Determine who (0 or 1) is the Server 

if(( !c[0]) && (!s[0])) { . 

for( j = 0 ; j < 2 ; ]++ ){ // if one port is a common server port, 
assume it is the server port 

k = 1 - j ; 

if(( flow[i] .pt[j] < UDP_PORT_OFFSET ) && ( port_mask[ 
flow[i] .pt[j] ])){// if either port is a common local server port 

s[j] = c[k] = 1 ; 

} } 

} // end - find c[] and s[] when not FTP 

if( c[0] && ( flow[i] .pt_min < flow[i] .pt[0])) flow[i] . pt_min = 

flow[i] .pt[0] ;// TELLS IF CLIENT IS ' LOW 1 

if( c[l] && ( flow[i] .pt_min < flow[i] .pt[l])) flow[i] .pt_min = 
flow[i] .pt[l] ; 

if( s[0] && ( ! flow[i] .service) ) flow[i] .service = flow[i] .pt[0] ; // 

TELLS IF SERVER IS 'LOW' OR 'HIGH' 

if( s[l] && ( ! flow[i] .service) ) flow[i] .service = flow[i] .pt[l] ; 

if(f_verbose==4) printf(" After. s0=%u, cO=%u, sl=%u, cl=%u, Service: %u, 
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Port_min: %u\n n , s[0], c[0] ,s[l], c[l], 

flow[i] .service, flow[i] .pt_min) ; 

// ===========:========= END OF SECTION THAT DETERMINES WHO IS HOST, WHO IS SERVER 

___// 

hostO = alarmsO = 0 ; 

for( j = 0 ; i < 2 ; j++ ){ 

k = 1 - j ; // j,k = 0,1 and 1,0 ========== 'j' is this host, 'k' is 

other host 

if( ! (flow[i] .state & ATK_PROBE )) { // if not already known to be a probe 
from early check 

// ##### TCP - Check ip[j] for Port Probing based on flow data for LOOSE flow 
##### 

if(flow[i] .state & LOOSE) { // LOOSE === Handle case where not 
all packets have been seen 

if(flow[i] .scans >= SCAN_MAX) { 

if(flow[i].flag[k][RST] >= (flow[i] .pkts[k] /2 + 2)) 
{// if the other guy sent many resets 

host [h [ j ] ] . pt_scans++ ; 

list = 1 ; strcatC reason, "TCP_Pt_Scan ") ; 
flow[i] .state |= probe ; 
record_probe( h[j], 

flow[i] .ip[k] ,flow[i] .pt[k] ); // h[j] is source index of probe, des_addr is 
destination ip 

pthread_mutex_lock( &mp_pai rs) ; // ### lock scans[], 

scan_pair( f low[i] . ip[j] , flow[i] .ip[k] , 
TCP_PORT_SCAN , f 1 ow[i ] . pt [k] ) ; // ip[i] hit ip[k]:pt[k] 

pthread_mutex_unlockC &mp_pairs) ; // ### unlock scans [], 
} } } 

else { // not loose 

if((flow[i] .scans >- SCAN_MAX) II (flow[i] . flag[k] [RST] == 
flow[i] .pkts[k])){ // >SCANMAX or all RSTS 

if(flow[i].flag[k][RST] >= (flow[i] .pkts[k] /2 + 1)) 
{// if the other guy sent more resets 

host[h[j]] .pt_scans++ ; 

list = 1 ; strcatC reason, M TCP_Pt_Scan ") ; 
flow[i] .state |= PROBE ; 
record_probe( h[j], flow[i] .ip[k] , 
flow[i] .pt[k]) ; // h[j] is source index of probe, 'k 1 is destination ip 
pthread_mutex_lock( &mp_pairs) ; // ### lock scans [] , 

scan_pair( flow[i] .ip[j] , flow[i] .ip[k] , 
tcp_P0RT_SCAN , f 1 ow[i ] . pt [k] ) ; // ip[i] hit ip[k]:pt[k] 

pthread_mutex_unlock( &mp_pairs; ; // ### unlock scans[], 
} } 

} // end - not LOOSE 

} // end - TCP check for Port Probes, not atk_probe 
} // end j=0,l k=l,0 

for( j = 0 ; j < 2 ; j++ ){ // === 'TOUCHING 1 === mark hosts that send 

data to high CI host 

k = 1 - j ; // j,k = 0,1 and 1,0 ========== 'j' is this host, 'k 1 is 

other host 

if( host[h[j]] .alerts & ALARM_12w) { // alarm-1 or -2 or WATCH_HOST save 
flow info 

list = 1 ; 
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if( h0St[h[j]] .alerts & ALARM_2) { // ALARM-2 ### HOSTS MARKED 

ALARM_1 HERE ### 

if( ( j == l) && hostO ) { // i == 1 

// IP[0] marked alarm-0 for sending data to bad guy 

ip[1] 

host[ hostO ]. alerts |= alarm_1 ; 
host[ hostO ].alarm_t = tjiere ; 

} 

if( j == 0 ) { // j == 0 

alarmsO = 1 ; // set if ip[0] is bad guy 

} 

} 

} 

if( alarmsO && (j == 1) && flow[i] . bytes[j] ) { //j==l, ip[0] is bad, data 

was sent 

host[h[j]] .alerts |= ALARM_1 ; // IP[1] marked ALARM-0 for talking 

to bad guy IP[0] 

hostO = h[j] ; // only used when j = 1, then -> ip[0] // === END 
'TOUCHING 1 === 



// --- if ip[j] sent a packet that was not a RESET, then add to host[j] 
client or server statistics 

if(host[h[i]] .last < flow[i] .last) host[h[j]] .last = flow[i].last ; // update 
host 'last time 

if(( flow[i] .pkts[j] > flow[i].flag[j][RST]) && (! (flow[i] .state & ATK_PROBE) ) ) { // 
only if 'j 1 sent non-RES packets 

if( !udp ) { // TCP ip[J] <-> host[h[j]] 

if(( flow[i] .pkts[j] > 0 ) && ( flow[i].pkts[k] > 0) ) { // multiple 

TCP packets 

int common = 0 ; 

if C s[j] && (!c[i])) { // "ip[j]" -> host[h[j]] is Server 
host [h [j] ] .s_f lows ++ ; 

if( (flow[i] .service < udp_port_offset) && 
(port_mask[ flow[i] .service ]) ) common = 1 ; 

if C(flow[i] .service < low_pt_max) || common) { // 

server j is LO 

if( ! host[h[j]] .port_smin 

) host[h[j]] .port_smin = flow[i] . service ; 

if( flow[i] .service < host[h[j]] .port_smm ) 

host[h[j]] ,port_smin = flow[i] .service ; 

if( flow[i] .service > host[h[j]] .port_smax ) 

host[h[j]] ,port_smax = flow[i] . service ; 

host[h[j]] .server |= port_mask[ 

flow[i] . service ] ; 

if (f_verbose==4) printf( M Server: %d, common: %d j, common ) ; 
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if(( flow[i] .pt_min < low_pt_max) && 
(flow[i] .service != 22) && (flow[i] .service != 37)) { 

if( ! ( (flow[i] .pt_min == 
flow[i] .service) && ((flow[i] . service==53) || (flow[i ] . servi ce == 109) ))) { 

host [h [ j ] ] . bad^f 1 ow++ ; // 
DNS (53) and POP2 (109) talk as peer to peer on same ports. 

list = 1 ; 

strcat( reason, "LO-LO-S") ; 
host[h[j]] .alerts |= 
LO_LO_CS ; // do not alert on DNS or POP2 servers connecting 

host[h[j]] .concern += LO_LO_Cl ; 

} } 

} // end server port < udp_port_offset 

else { // Server is HIGH 
// host[h[j]] .server |= 

HlGH_PORT_SERVER ; // appears to be high-port server 

hos t [h [ j ] ] . bad_f 1 ow++ ; 



client k HI , port > 1023 



"LO-HI-S") ; 



} 



if( flow[i] .pt_min > low_pt_max ) { 

host[h[j]] .alerts |= HIJLCS ; // 

host[h[j]] .concern += HI_JHI_CI ; 

list = 1 ;strcat( reason, "HI-HI-S") 

} 

else { 

host[h[j]] .alerts |= LO_hi_cs ; 
host [h[j]] .concern += LO_Hl_Cl ; 

list = 1 ; strcat( reason, 

} 



odd service 

flow[i] . service ) break ; 



if( ! common) { 

host[h[j]] .server |= odd_bit ;// bit for 

for( p =0 ; p < 10 ; p++ ) { 

if( host[h[j]] .s_list[p] == 



if( ! host[h[i]].s_list[p] ) { 
host[h[j]] .s_list[p] = 
flow[i] .service ; // if uncommon port, add to list 

break ; 

} 

} 

} // end ! common 
} // end ip[j] is server 

if ( c[j] && (!s[j])) {// ip[j] -> host[h[j]] is client 
int common = 0 ; 
host [h [j] ] .c_f lows ++ ; 

if((flow[i] .scans > SCAN_MAX) && (flow[i] .pkts[j] >= 
flow[i] .pkts[k])) host[h[j]] .pt_scans++ ; . . 

i f ( ! host [h [] ] ] . port^cmi n ) 

host[h[j]] .port_cmin = flow[i] .pt_min ; 

if( flow[i] .pt^min < host[h[j]] .port_cmin ) 
host[h[j]] .port_cmin = flow[i] .pt_min ; 

if( flow[i] .pt_max > host [h[j]] .port_cmax ) 
host[h[j]] .port_cmax = flow[i] .pt_max ; 

if((flow[i] .service < udp_port_offset) && 
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(port_mask[ flow[i] .service ])){ 

common = 1 ;// if server is 'common 1 (in the 

.server bit map) treat as ' LO' server 

if(f_verbose==4) printfC" Client: %d, 

common : %d " , j , common ) ; 

if ((flow[i] .service < low_pt_max) || common) { // 

server k is LO 

host[h[j]] .client 1= port_mask[ 
flow[i] .service ] ; // assumes port -> service 

if( flow[i] .pt_min >= low_pt_max ) list = 0 

; // NORMAL = DO NOT LIST IN FILE 

else { // client j is low 

host[h[j]] .alerts |= LO_LO_CS ; // 

############################ 

host [h[j]] .concern += LO_LO_Cl ; 

host[h[j]] ,bad_flow++ ; 
list = 1 ; 

strcatC reason, " LO_LO-C ") ; 

} 

} else { // server k is Hi 
// host[h[j]] .client |= 

high_port_client ; // appears to be high-port server's client 

host[h[j]] .bad_flow++ ; 
if( flow[i] .pt_min >= LOW_PT_max ) { 

host[h[j]] .alerts |= HI_HI_CS ; // 



client k HI , port > 1023 
") ; 



} 



host[h[j]] .concern += HI_HI_CI ; 

list = 1 ; strcatC reason, " hi-hi-c 

else { 

host[h[j]] .alerts |= LO_hi_CS ; 
host [h[j]] .concern += lo_hi_ci ; 
list = 1 ; 

strcatC reason, " LO-HI-C ") ; 

} 



odd service 



flow[i] .service ) break ; 
list[p] is empty, add pt[k] to it 
flow[i] .service ; // if uncommon port, add to list 

} 



ifC ! common ) { 

host [h[j]] .client |= odd_bit ;// bit for 

forC p =0 ; p < 10 ; p++ ) { 

" n].c_ii 



ifC host[h[j]].c_list[p] == 
if C ! host[h[j]].c_list[p] ) { // if 
host[h[j]] .c_list[p] = 
break ; 



} 

} // end ! common 
} // ip[j]i and host[h[j]], is client 

if C c[j] && s[j] ) { 

if C ! Cflow[i] .state & LOOSE) ) { 



host 
host 
host 
fl ow 



3 

3: 

3 



.alerts |= PORT_SCAN2 ; 
, pt_scans++ ; 

concern += port_SCAN2_ci ; 



.state = PROBE 
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list = 1 ; strcat( reason, "C&S ") 

ifC ( ! c[j] ) && ( ! s[j]) ) { 

if( ! (flow[i] .state & LOOSE) ) { 



host[h[j" 
host[h[^ 
host[h[] 



] .u_flows++ , 
]. concern += unknowm_ci ; 
]. alerts |= NO_CS_SET ; // now 



list = 1 ; strcatC reason, "no-CS ") ; 

} } 
} // end multiple pkts 



if( udp) { // udp 

if(f_verbose==4) printf(" UDP Flow-%u ", j ) ; 

if( flow[i].pt[i] == 53 ) { 

host[hq]] .server |= port_mask[ udp_port_offset + 53 ] ; 
host[h[j]] .dns_flows ++ ; 

if( flow[i].pt[k] == 53 ) { 

host [h[j]] .client 1= port_mask[ udp_port_offset + 53 ] ; 
if( flow[i].pt[j] != 53 ) host [h [j] ] .dns_f lows ++ ; 

else if ( flow[i] .pt[j] != 53 ) { // neither port is 53 

ppsO = flow[i] .pkts[j] / ( 1 + flow[i].last - flow[i ]. start) 

ppsl = flow[i].pkts[k] / ( 1 + flow[i].last - flow[i ]. start) 



if(( flow[i].pkts[j] » 2) > flow[i].pkts[k]) { 

8 r mm_s++; // host is one-wqy mm_s 



if( (ppsO^+ ppsl ) > 6 ) { 

hosttRn], . , , , -- - - 1! j - 

host[h[]]] .server |= mm_bit ;// bit for 
multimedia, psedo-port = UDP_PORT_OFFSET + 1 

} else { // not server 

if( (flow[i].pkts[k] » 2) > 



flow[i].pkts[j]) { 
mm_c 

for multimedia 

multimedia peer (2-way) 
for multimedia 
for multimedia 



host[h[j]] .mm_c++;// host is one-wqy 

host [h[j]] .client |= mm_bit ;// bit 

} else { // not client either 

host[h[j]] .mm_p++;// host is 

host[h[j]] .client |= mm_bit ;// bit 

host[h[j]] .server |= mm_bit ;// bit 



} // end peer 
} // end not-server 



// else { // check for GAME or TELEPH 

// } 

} // not DNS, check for multimedia 
} // end UDP 

} // end if pkts[j] > 0 
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} // end stats for host ip[j], j = 0, 1 & 'Touching 1 
flow[i] .state |= CLASSIFIED ; // flow has been classified 
pthread_mutex_unlock( &mp_hosts) ; // ### unlock hosts [] 
) // end - not-classified and clearing flow 

if (f_verbose==4) printf(" Clear: %u, Reason: %s\n" , clear, reason ) ; 

if (clear) { // ========================= END-OF-FLOW ANALYSIS (beyond 

client-server) ============ // 

if( f_verbose == 3) {printf(" End-of-Flow start. np:%u at 
%u\n",np,*(&t_run)) ;fflush( stdout) ;} 

if(!udp && (flow[i] .state & ATTACK) ) { // if TCP - check addition points for 
half -open attack 

list = 1 ; 

for( j = 0 ; j <= 1 ; j++ ) { 
k = 1 - i • 

if(( flow[i].pkts[j] > 16 ) && ( flow[i] .flagCj] [SYN] > 
(0.75 * flow[i].pkts[j] )) && 

flow[i].flag[k][S_A] ) { // 

if half -open attack, 'j 1 attacking ' k' 

it(( h[j] ) && ( host[ h[j] ]. alerts == HO_ATTACK ) 

^ * host[ h[j] ]. concern += ho_atk_per_syn * 

(flow[i].flag[j][SYN] - 12 ) ; 

} // end - fmdJiostO ok 

} // - end - for j = 0,1 and k = 1,0 
} // end - check for half -open (lots of SYN's evoking syn-ack's) 

if(flow[i] .state & attack ) { list = 1 ; strcat( reason, " Attack") ;} 

if (flow[i] .state & PROBE ) strcat( reason, " Probe" ) ; // don't set Hist 1 -too 

many probe flows 

} // end - end-of-flow analysis 

if (clear && (listl |f_all | |f_demo| | (flow [i] .state & WATCH_FLOW))){ // == write to 
flow-log =// 

unsigned int ipO, ipl ; // option "a" (f_all == 1) logs 

all flows 

unsigned char as0[16], asl[16] ; 

ipO = flow[i] .ip[0] ; 

ipl = flow[i] .ip[l] ; 
if( f^verbose == 3) {printf( n List-Flow Start, i :%u at %u\n n , i, *(&t_run)) ; 
fflush( stdout);} 

n_f print ++ ; // select flows to log 

n_flow_log ++ ; // cum 
// if( f_dotdec ) { // cmd line flag 'd' - 

print as dotted-decimal 

sprintf( asO, "%3u.%3u.%3u.%3u", (ip0»24) & Oxff, (ip0»16) & Oxff, (ip0»8) & Oxff, 
ipO & Oxff) ; 

sprintf( asl, "%3u.%3u.%3u.%3u", (ipl»24) & Oxff, (ipl»16) & Oxff, (ipl»8) & Oxff, 
ipl & Oxff) ; 

fprintf(log_flow, "%u\t %s\t %s\t %u\t %u\t %u\t %u\t %u\t", 

flow[i] .state, asO, asl, flow[i] .pt[0] , flow[i] . pt [1] , 
flow[i] .service, flow[i] .start , flow[i] . last) ; 
//} else { // print as 8-hex 

// fprintf(log_flow, "%u\t %x\t %x\t %u\t %u\t %u\t %u\t %u\t n , 

// flow[i] .state, ipO, ipl, flow[i] .pt[0] , flow[i] .pt [1] , service, 

flow[i] .start, flow[i] .last) ; 
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//} 

fori ntf(log_f low, "%u\t %u\t %x\t %u\t %u\t'\ 

f low [i] .bytes [0] , flow[i] .pkts[0] , flow[i] .flgs[0] , flow[i] .pt_min, flow[i] .pt_max 

); 

if( flow[i].bin_norm[0] ) fprintf (log_flow, "%u\t", (25 * 
flow[i] .binary[0])/flow[i] .bin_norm[0]) ; 
else fprintf(1og__flow, "255\t M ) ; 

fprintf (log_f low, "%u\t%u\t%u\t%u\t%u\t%u\t%u\t" , 



flow[i] .flag[0] [0] , flow[i] .flag 



0][1 



flow 



i ] . f 1 ag [0] [2] , f 1 ow [i ] . f 1 ag [0] [3] 



flow[i].flag[0][4], flow[i] .flag[0] [5] , flow[i] ,flag[0] [6] ); 
fprintf(log_flow, "%u\t %u\t %x\t %u\t %u\t", 

flow[i] .bytes [1] , flow[i] .pkts[l] , flow[i] .flgs[l] , flow[i] .pt_min, flow[i] .pt_max 

) ; 

if( flow[i] .bin_norm[l] ) fprintf (log_f low, "%u\t'\ (25 * 
flow[i] .binary[l])/flow[i] . bin_norm[l]) ; 
else fprintf(log_flow, "255\t") ; 



fprintf (log_f low, M %u\t%u\t%u\t%u\t%u\t%u\t%u\t%s\n ,, , 
flow[i] .flag 
flow[i] .flag 



1][0], flow[i].flag[l][l], flow[i].flag[l][2], flow[i] .flag[l] [3] , 
1][4], flow[i].flag[l][5], flow[i] .flag[l] [6] , reason ); 

} // end of select to fprint(log_flow, ... ) 



if( clear) { // ======= clear flow[i] ========== // 

if( flow[i].up) flow[ flow[i].up ].down = flow[i].down ; // if .up 

not zero 

if( flow[ flow[i].down ].up == i) flow[ flow[i].down ].up 
flow[i].up ; // one is true 

if( flow[ flow[i].down ] . root == i) flow[ flow[i].down ] . root = 

flow[il.up ; 

memset( (void *) & flow[i] .ip[0] , '\0', (size_t) ( sizeof( struct 

flow_db ) ) ); 

flow[i] .down = 0 ; 

if( flow[i].flag[l][7] != 0) printf("#### #### FLOW SLOT NOT BEING 
zeroed #### ####\n M ); ; 

if(n_active > n_acti ve_max) n_active_max = n_active ; 
n_active -- ; 
} // end - clear flow 

if( f_verbose == 3) {printf( M Flow_class 1 flow %u done. np:%u at %u\n M , i, np, 
t_run) ; fflush( stdout);} 

}// end of confirming (.down == 0) 
pthread_mutex_unlock( &mp_flows) ; // ### unblock process_pkts 

} // end of (.down == 0) && remove flow 

} // end i = 1 to SLOTS 

if (f_verbose) { 

fflush( log_flow ) ; 

printf( M t_run (s) : %u, next web: %u, Flows lost: %u, Flows 
Ended: %u, Flows Listed: %u\n", 

*(&t_run), t_next_web - t_zero, n_f ull , flows_ended, 

n_f print) ; 

if(( tjiere >= t_next_web) && (running != 2)) { 
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t_next_web += web_alert_int ; 

web_alerts( ) ; // ##### ##### call 

web_Alerts 

if(( tjiere >= t_next_prof) && (running != 2)) { 
t_next_prof += web^\lert_int ; 

save_profiles( ) ; // ##### ##### call 

save_profiles 
} 

this_hour =( (t_here / 3600) % 24 ) ; // hour of the day, 1-23 
if( last_hour > 23 ) lastjiour = thisjiour ; 

if(f_verbose >= 2) printf(" Restart Jiour: %d Lastjiour: %d Day: %d, thisjiour: %d, 
minutes : %d\n", 

restartjiour, lastjiour, ((t_here / 86400) % 30), thisjiour, (t_here / 60) % 60 ) ; 

if( (thisjiour == restart_hour) && (lastjiour != restart Jiour) ) { 
i = save_profiles() ; 

printf( M \n ######### Good Bye. saved %u Profiles for Tomorrow. 
###########\n\n" , i ) ; 

suicide( (tjiere / 86400) % 30 ) ; // parameter is day 0-29, name 

of log di rectory 

lastjiour = thisjiour ; // for next check 
if( f_file) { 

if( f_verbose >= 2 ) printf( M Classify_Flows about to sleep. t_run 
:%u\n", *(&t_run) ) ; 

pthread_mutex_unlock( &mp_class_flow) ; // ### unblock process_pkts 
sleep(l) ; 

if( running == 2) break ; // run once to finish up 

if( f_verbose == 3) {printf(" Flow-Class Bottom. np:%u at %u\n", np, t_run) ; 
fflush( stdout);} 

} // =============== =============== ===============end while(running) 

if (f_verbose) { 

printf("* Thread class^flow finishing at t: %u, np: %u\n M ,t_here - t_zero, np) ; 
fflush( log^flow ) ; fflush( stdout ) ; 

} 

return ; 
} // end class_flow() 

// ### SCAN_PAIR - KEEP STATISTICS BASED ON PROBER-TARGET IP ADDRESSES 



unsigned long scan_pai r(unsigned long ipO, unsigned long ipl, unsigned char type, 

unsigned short port) 

{ // type: 0 - empty, 1 - UDP, 2 - TCP, 8 - s-addr==D-addr 

unsigned long x, i, i_mark, n, index, scans_size = SCAN_SLOTS, min_type, 

min_slot ; 

size_t t_here ; 

if( f_verbose == 3) {printf( M Scan_Pai r start. np:%u at %u\n", np, 
*(&t_run)) ; fflush( stdout);} 

x = ipO a (ipl « 6 ) a (ipl » 26) make index from DA, SA, port 

*** / 

index = x ; 

for (i = SCAN_SHIFT ; i < 32 ; i += SCAN_SHIFT ) { 
X = X » SCAN_SHIFT ; 

index a= x ; // XOR bytes together 

} 
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index = index & scan_mask ; //limit to right SCAN_SHIFT bits 
index++ ; // index can be 1 to 2An +1 

if( f_verbose > 1) printf ("###scan_pai r, np:%u, index: %u, type: %u, port: %u" , np, 
index, type, port ) ; 

tjiere = *(&t_run) + *(&z_sec) ; 

// — look for matching connection or first empty slot 
if( scans [i ndex] . root) { // root not empty, run through list, look for 
matching scan 

i = scans [i ndex] . root ; 
do { 

if((scans[i].ipO != ipO) M (scans[i] .ipl != ipl)) { 
if ( (scans[i] .up)) { 

i = scans [i] .up; 

} else { 

break ; // break out of while(l) - end of 



list, no match 



} else { // slot for scan already exists 
goto update_pair ; 

} while( 1) ; // break out when end of list or match found 



i_mark = i 



// index of last entry in list - NEW HOST entry 



use i = 0 



for( n = 0 ; n < SCAN_RANGE ; n++) { 
i += 5 + n ; 

if( i >= SCAN_SLOTS ) i = i - SCAN_SLOTS + 1; 



// can not 



} 



if (scans [i] .down == 0 ) { // empty, use for new entry 
scans [i__mark] .up = i ; 
scansfi] .down = i_mark ; 
goto new_pair ; 



} 

else { 



return( 0 ) ; // scan data sub-structure full 
// scans [index] .root == 0, search for any empty slot for NEW 



ENTRY 



use i = 0 



i = index ; 

for(n=0;n< SCAN_RANGE ; n++) { 
i += 5 + n ; 

if( i >= SCAN_SLOTS ) i = i - SCAN_SLOTS + 1; 

if (scans [i] .down == 0 ) { 

scans [i ndex] . root = i ; 
scans [i] .down = index ; 
goto new_pair ; // 



// can not 



new_pai r 

// 



} 



} 

return( 0 ) 



// scan data sub-structure full 



n__scans++ ; 

if( n > n_pr_search) n_pr_search = n ; // check hash efficiency 
scans [i] .up = 0 ; 
scans [i] .ipO = ipO ; 
scans [i] .ipl = ipl ; 

scans[i] .start '= scans[i] .last = *(&t_run) + t_zero ; 
scans[i] .port[0] = port ; 
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scans [i] -type [0] = type ; 
scans [i] . njiits = 1 ; 
scans [i ] .n_ports = 1 ; 
scans [i] .concern = 100 ; 

if (type > 8) scans [i] .concern += 200 « (type - 8 ) ;// 9,10,11,12 -> 
200,400,800,1600 



if( f_verbose > 1) printf(" , new-pair, i :%u type: %d, port%d, concern: %u\n" , 
i, (int) type, (int) port, scans [i] .concern ) ; 

return( i ) ; 

update_pair: 
min_type = 100 ; 

scans[i] .last = *(&t_run) + t_zero ; 

scans [i] . njiits ++ ; 

if( scans [i ] .n_ports < 16 ) { 

for(n = 0 ; n < 16 ; n++ ) { // fill a new slot or find a match 
if( scans [i] .type [n] < min_type ) { 
min_type = scans [i] .type [n] ; 
min_slot = n ; 

} 

if( scans [i] .type [n] == 0 ) { 



scans 
scans 
scans 
break 



,port[n] = port ; 
.type[n] = type ; 
. n_ports = n + 1 



scans[i] .walk[n] ++ 



if (scans[i] . type[n]==type) { 

if (scans [i] .port [n] = port) { // already present 
if( scans[i] .walk[n] < Oxff) 



&&(scans[i] .wal k[n]<255)){ 
scans[i] .walk[n] ++ ; 

} 



break ; 

if((port > 1023) && (port < (scans[i] .port[n]+5)) 

scans [i] .port [n] = port ; // port walking 
if( scans[i] .walk[n] < Oxff) 



} 



break 



} // breaks go here 

if( ( n 16) && (type > 6)) { 

if( type == scans [i] .type [ min_slot ] ) { 
scans [i] .port [ min_slot ] = port ; 

else { 

if( type > scans [i] .type [ min_slot ] ) { 
scans[i] .port[ min_slot ] = port 
scansfi] .type[ min_slot ] = type 

} } } 



scans [i] .concern += 100 ; 

if (type > 8) scans [i ]. concern += 200 « (type - 8 ) ;// 9,10,11,12 -> 
200,400,800,1600 

if( f_verbose > 1) printf(", update-pair, i:%u, pair hits: %u, slots 
filled: %u, concern: %u \n", 

i, scans [i ] .n_hits, scans [i ] .n_ports, scans [i] .concern) ; 

if( f_verbose == 3) {printf(" Scan^Pair End. np:%u at %u\n", np, 
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*(&t_run)) ; fflush( stdout);} 

return( i ) ; 

} // end of scan_pair 



unsigned long find_host( unsigned long ip, unsigned int make) 

{// returns host[i] unsigned index, HOSTS MUST BE LOCKED 

unsigned long x, i, i_mark, n, index, scans_size = HOST_SLOTS, unlock = 0 ; 

x = ip a (ip « 6) ;/*** make index from ip ***/ 
index = x ; 

for (i = HOST_SHIFT ; i < 32 ; i += HOST_SHIFT ) { 
X = X » HOST_SHIFT ; 

index a= x ; // XOR bytes together 

index = index & HOST_MASK ; //limit to right HOST_SHlFT bits 
index++ ; // index can be 1 to 2An +1 

if( ! pthread_mutex_trylock( &mp_hosts ) ) { // this will lock mutex if not 
locked already 

printfC" ### find_host() without mutex mjiost being set. t: %u, Running: 
%u\n" , * (&t_run) , runni ng) ; 

unlock = 1 ; 

} 

#ifdef CHECK_INDEX 

if ( index >= HOST_SLOTS ) { 

printf ("index bigger than HOST_SLOTS (%u > %u) at record %u\n", 
index, HOST__SLOTS, *(&np)); 

exit(-l) ; 

} 

#endif 

// — look for matching HOST or first empty slot 

if( host [index] . root) { // root not empty, run through list, look for 
matching scan 

i = host [index] . root ; 
do { 

if (host[i] .ip != ip) { 

if( (host[i].up)) { 

i = host [i]. up; // loop again 

} else { 

break ; // break out of while(l) - end of 

list, no match 

} else { 

host[i].last = *(&t_run) + t_zero ; // this is 

M update_host:" 

if( unlock ) pthread_mutex_unlock( &mp_hosts) ; // ### unlock hosts [] 

return( i ) ; // slot for scan already exists 



return 



entry 



} while(\) ; // break out when end of list, match found -> 

i_mark = i ; // index of last entry in list - NEW HOST entry 

if( make == 0) return ( 0 ) ; // !make -> do not make a new host 

for( n = 0 ; n < HOST_RANGE ; n++) { 
i += 5 + n ; 
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if( i >= HOST_SLOTS ) i = i 



HOST_SLOTS +1; // can not 



if (host [i] .down == 0 ) { // empty, use for new entry 
host [i_jnark] .up = i ; 
host[i].down = i_mark ; 



} 



} 



goto new_host ; 



printfC'H") ; 

if( unlock ) pthread_mutex_unlock( Ampjiosts) ; // ### unlock hosts [] 
return( 0 ) ; // Host data sub-structure full 



ENTRY 

entry 



} 

else { 



// host [index] . root == 0, search for any empty slot for NEW 
if( make == 0 ) return ( 0 ) ; // !make -> do not make a new host 



use i = 0 



i = index ; 

for( n = 0 ; n < HOST_RANGE ; n++) { 
i += 5 + n ; 

if( i >= HOST_SLOTS ) i = i - HOST_SLOTS +1; // can not 

if(host[i] .down == 0 ) { 

host [i ndex] . root = i ; 
host [i]. down = index ; 
goto new_host ; 

} } 
printf ("H") ; 

if( unlock ) pthread_mutex_unlock( &mp_hosts) ; // ### unlock hosts[] 
return( 0 ) ; // Host data sub-structure full 

} 

new_host: 

host[i] .up = 0 ; 
host[i] . ip = ip ; 

host [i] .start = host [i]. last = *(&t_run) + t_zero ; 
for ( n = 0 ; n < ln_max ; n++) { 

if( ! ( local_mask[ n ] & ( local_net[ n ] a i p ))) { 

host[i] .alerts |= LOCAL_HOST ; // set local-host bit 

acti ve_locals++ ; 

break ; 

} 

} 

n_host++ ; 

if( n > n_pr_search) n_pr_search = n ; // check hash efficiency 
return( i ) ; 

if( unlock ) pthread_mutex_unlock( &mp_hosts) ; // ### unlock hosts[] 
} // end of find_host() 



void 
USED 
{ 



print_host(FiLE *xfile, unsigned long h, unsigned long v) // NOT PRESENTLY 



unsigned long j, ip f n, x, aO, al, a2, a3 ; 
char as0[16] ; 
ip = host[h] .ip ; 

sprintf( asO, "%3u.%3u.%3u.%3u M , (ip»24) & Oxff, (ip»16) & Oxff, (ip»8) & Oxff, ip 
& Oxff) ; 

for( j = 0 ; j < strlen(asO) ; j++ ) if( asO[j] == 1 ') asO[j] = 'O 1 ; 



al = 64 * host[h] .pt_scans ; 



// MUST MATCH CALCULATION IN 1 web_al ertS () 1 
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if( host[h] .alerts & PORT_SCAN2 ) al += 400 
if( host[h] .alerts & PT_SCAN_ALERT ) al += 400 
if( host[h] .alerts & HI_HI_CS ) al += 200 

if( host[h] .alerts & LO_Hl_CS ) al += 800 

if( host [h] .alerts & LO_LO_CS ) al += 200 

a2 = 8 * host[h] .no_con_t + 8 * host [h] . rejects 
host [h] .traces 

+ 8 * host[h] .bacLpkts + 8 * host [h] . bacLf low + 8 

* host[h] .u_flows; 

a3 = 0 ; // application related 

// if( host [h] .server & IRC ) a3 += 200 ; 

client & IRC ) a3 += 100 ; 



+ 1 * host[h] .pings + 4 



// 



if( host[h 
aO = al + a2 + a3 



fprintfCxfile, " %u\t%u\t%u\t%u\t%s\t %u\t %u\t", aO, al, a2, a3, asO, 
host [h] .start, host [h] . last) ; 

fprintfCxfile, " %u\t %u\t", host [h] .bytes_in, host[h] .bytes_ot) ; 
fprintfCxfile, " %u\t %u\t %u\t %u\t", host [h] .pkts_in, host [h] . pkts_ot , 
host [h] . port_smi n , host [h] . port_smax) ; 

fprintfCxfile, " %u\t %u\t %x\t" , host [h] .port_cmin, host [h] . port_cmax, 
host [h] . server ) ; 

fprintfCxfile, " %x\t %x\t %u\t %u\t'\ host [h] .client , host [h] .alerts, 
host[h] .pt_scans, host [h] . resets ); 

fprintfCxfile, " %u\t %u\t %u\t", host [h] . rejects, host [h] .no_con_t , 
host [h] . dns_f 1 ows) ; 

fprintfCxfile, " %u\t %u\t %u\t %u\t", host[h] .udp_bytes, host [h] .mm_s , 
host [h] . mrruc , host [h] . mm_p) ; 

fprintfCxfile, " %u\t %u\t %u\t M , host [h] . s_f lows , host[h] .c_flows, host [h] .u^f lows 

fprintfCxfile, " %u\t %u\t %u\t %u\t", host[h] .pt_scans, host [h] . bad_pkts , 
host[h] .pings, host[h] .traces) ; 



fprintfCxfile, "S: "); 

x = host [h] .server ; n = 0 ; 
whileCC x > 0) && Cn < pn_max)) { 

ifC x & 1) fprintfCxfile, M %s " 

n++ ; x = x » 1 ; 

} 

fprintfCxfile, "- C: "); 

x = host[h] .client ; n = 0 ; 
whileCC x > 0) && Cn < pn_max)) 

ifC x & 1) fprintfCxfile, M %s " 

n++ ; x = x » 1 ; 

fprintfCxfile, M \n") ; 
} // end of print_hostQ 



port_name[ n ] ) 



port_name[ n ] ) 



unsigned long dots_intC char * p ) { // dotted-decimal to integer 

unsigned int v, j , ipv ; 
char *spl, *sp2, buf[120] ; 

strcpyCbuf, p) ; 
buf[15] = 0 ; 
v = 0 ; 
j = 0 ; 

spl = sp2 = buf ; // beginning of string "149. 77.8. 2" 
while Cj< 5) { 

j++ ; 

sp2 = strstrCspl, ,, . n ) ; 
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if(sp2) { // there's a dot 

sp2[0] = 0 ; // spl -> "177" 

v = v * 256 + atoi( spl ) ; 

spl = &sp2[l] ; // spl -> "77.8.2" 

} else { 

ipv = v*256 + atoi( spl) ; // spl -> "2" 
break ; // out of while loop 

?f( (atoi(spl) > 255) || (atoi(spl) < 0 ) ) j = 10 ; // -> error, 

below 

} 

if( j != 4 ) { 

printf(" Can not parse IP: '%s' f Quitting\n", p ) ; 
usage() ; 

return ( ipv ) ; 
} // end of dots_int() 



void web_alerts( void ) { // ==== run every 1200 s, only lock hosts 

char *sp, sl[20], s2[400], s3[400], s4[100], web_ts[64], wts[128] f ts[16] ; 

FILE *web_alt0, *web_altl, *web_traf0, *web_trafl, *webJiosts, '*web_info, 

*1 c__th_f i 1 e , *web_al arms ; 

FILE *web_scans ; 

unsigned int h, i, j, n, n0=0, nl=0, n2=0, n3=0, nh=0, nf=0, n_scan_prt, 
n_host_drop, drop_hosts ; 

unsigned int x, a, aO, al, a2, a3, pu, file_fail, error_count, odd_bit, traf 

time_t t_l, t_2, tjiere, t_tab, t_cut ; 

struct tm *w_time ; 

int m, local , dst ; 

if( f^verbose) printf(" 'Web_alert' started at t_run: %u s, pkts: %u\n", 
*(&t_run), np) ; 

if( f_verbose > 1 ) fflush( stdout ) ; 

if( *(&t_run) > LOOSE_PERlOD ) fjoose = f_splitpath ; // continue loose 
classify if split_path 

oddjsit = port_mask[ 2 * UDP_PORT_OFFSET +4] ; // bit for odd service, 
psedo-port = 2052 

if( f_file) tjiere = *(&t_run) + t_zero ; 
else tjiere = time( NULL ) ; // real time 

pthread__mutexJock( &mp_bs) ; // ### lock bs[] 

if( t_here > (t_bsjast + traf_table_min ) ) { 

bt ++ ; // bs[ bt + 1 ] may not be reliable in another thread, also 
bt may be > traffic_ values 

if( bt == TRAFFIC_VALUES ) bt = 0 | 
// bs[ bt ].bytes__in = bs[ bt ].bytes_out = bs[ bt ].bytes_loc = bs[ bt 

] . bytes_oo = 0 ; 

memsetC (void *) &bs[ bt ] , '\0', (size_t) ( sizeof( struct 
byte_table ) ) ); 

t_bs_last = tjiere - 1 ; 

} 



bs 



bt 



.t 



= tjiere ; 



bs[ bt ].bytes_in += bytes__in_cnt 

bs[ bt ].bytes_out += bytes_out_cnt 

bs[ bt ].bytes_loc += bytes Joc_cnt 

bs[ bt ].bytes_oo += bytes_oo_cnt 
Load for web Table 

bs[ bt ]. bytes Jdc += bytes J>c_cnt 
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bs 
bs 
bs 



bt 
bt 
bt 
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. bytes_mcn += bytes_mcn_cnt 
. bytes_mco += bytes_mco_cnt 
. bytes_bad += bytes_bad_cnt 



] .bytes_in 
] .bytes_out 
] .bytes_loc 
] .bytes_oo 
] .bytes_mcn 
] .bytes_mco 
] .bytes_bc 
] .bytes_bad 



if(bs[ bt ] 


. bytes_i n 


> 


bps_in_max ) 


bps_in_max 




bs[ 


bt 


if(bs[ bt 


] 


. oy xes_ou u 


> 


Dp5_OU L^iUaXJ 


c ai it - mav 
Dp 5 (JUL IMclX 






hl- 


if(bs[ bt 


] 


.bytes_loc 


> 


bps_oo_max ) 


bps_oo_max 




bs[ 


bt 


if(bs[ bt 


] 


. bytes_oo 


> 


bps_loc_max) 


bps_l oc_max 




bs[ 


bt 


if(bs[ bt 


] 


. bytes_mcn 


> 


bps_mcn_max) 


bps_mcn_max 




bs[ 


bt 


if(bs[ bt 


] 


.bytes_mco 


> 


bps_mco_max) 


bps_mco_max 




bs[ 


bt 


if(bs[ bt 


] 


. bytes__bc 


> 


bps_bc_max ) 


bps_bc_max 




bs[ 


bt 


if(bs[ bt 


] 


.bytes_bad 


> 


bps_bad_max) 


bps_bad__max 




bs[ 


bt 



bytes_in_cnt = bytes_out_cnt = bytes_loc_cnt = bytes_oo_cnt = 0 ; 
bytes_mcn_cnt = bytes_mco_cnt = bytes_bc_cnt = bytes_bad_cnt = 0 ; 



pthread_mutex_unlock( &mp_bs) ; // ### unlock bs[] 
//if(f_file) { 

// t_next_web = WEB_ALERT_INT ; // left over from when this was a separate 

thread 

//} 

//else { 

// unsigned int wai = WEB_ALERT__INT ; 

// t_next_web = t_zero + 0.5 * wai ; 

// t_next_web = t_next_web + wai - (t_next_web % wai) +1 ; // moves to nearest 

even value +1 

//} // so new value traffic graph will complete before this runs 
//while( running) 



// 

'// 
// 
// 
// 
// 



sleep( 10) ; //in case a file problem causes a "continue" 

while(( t_here < t_next_web) && (running == 1)) { 
if( f_file) tjiere = *(&t_run) ; 
else t_here = time( null ) 



} 



sleep(lO) ; // check time and 'running 1 every 10 seconds 



if( running == 0 ) return ; // break ; 

t_l = t_here ; 

t_2 = time( NULL ) ; 

w_time = localtime( & t_l) ; 

dst = w_time->tm_isdst ; // >0 if daylight savings time 
alarm_lines = 0 ; 
pthread_mutex_unlock( &mp_bs) ; // ### lock hosts [] 

pthread_mutex_lock( &mp_hosts) ; // ### unlock bs[] 

read_thresholds( ) ; // update thresholds from file lc_thresholds.txt 
pthread_mutex_unlock( &mp_hosts) ; // ### unlock hosts [] 

strcpy( web_ts, "web Prepared: " ) ; 

strcat( web_ts, asctime( w_time )) ; 

web_ts[ 38 ] = 0 ; // delete \n from asctime() 

strcpyC wts, moni tor_start ) ; 
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strcat( wts, web_ts ) ; 
if (f_verbose) { printf ("* Web_alert operating at t: %u, np: %u, %s\n", t_here - 
t_zero, np, web_ts) ; 
fflush( stdout) ; } 

// ================ START OF PROBE TABLE ===================// 

if( (web_scans = fopen("web_scans.txt M ,"w M ) )==null) { // OPEN 

OUTPUT FILE web_scans.txt 

printf ( n \nLog-Scans File 'web_scans.txt 1 Can Not Be Opened\n\n n ) ; 

else { // file 'web_scans' opened OK 

register int i , j , n ; 
n_scan_prt = 0 ; 

for( i = 0 ; i < 15 ; i++ ) scin[ i ] = 0 ; 

if( f_verbose == 2 ) {printf (" --- Scan-Pairs about to begin. \n") ; fflush( stdout ) 
; } 

for( i = 1 ; i < SCAN_SLOTS ; i++ ) { // ### WRITE SCAN- PAIRS ### 

register unsigned int ipO, ipl; 

charas0[20], asl[20] , as[30], as4[30] , pr_str[500], x_str[50] ; 
if( scans [i] .down) { // select pairs to f print 

register int j , k, tf, done ; 

int delete_pair = 0, display_pair = 0 ; 

pthread_jnutex_lock( &mp_pairs) ; // ### lock scans[], 

if( ( scans[i] .last + 1200 ) > t_here ) tf = scans[i] .last + 
1200 - t_here ; // time factor for display 

else tf = 0 ; 

if C((scans[i] .concern + tf ) < scans_cut )) { 
delete_pair = 1 ; 

} 

else { 

for( k = 1 ; k < 15 ; k++ ) { // put scans with 

values of concern into bins 

if( ( scans [i] .concern + tf ) < cix[k]) { 
scin[k]++ ; 
break ; 

} 

} 

} // end - not cut 

if C((scans[i] .concern + tf ) > scans_pr_cut )) display_pair 

= 1 ; 

if( f_verbose == 2 ) printf (" scans_cut: %u, scans_pr_cut %u, 
scans [%u] .concern: %u\n" , 

scans_cut, scans_pr_cut , i, scans[i] .concern ) ; 

if( delete_pair || display_pair ) { 

ipO = scans [i] .ipO ; 
ipl = scans [i] .ipl ; 
sprintfC asO, "%3u .%3u.%3u .%3u" , (ip0»24) & Oxff, (ip0»16) & Oxff, (ip0»8) 
& Oxff, ipO & Oxff) ; 

sprintfC asl, "%3u.%3u.%3u.%3u H , (ipl»24) & Oxff, (ipl»16) & Oxff, (ipl»8) 
& Oxff, ipl & Oxff) ; 

for( j = 0 ; j < strlen(asO) ; j++ ) if( asO[j] == 1 

! ) asO[j] = 'O 1 ; // target ipO 

for( j = 0 ; j < strlen(asl) ; j++ ) if( asl[j] == 1 
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spri ntf (pr_st r , "%u\t%u\t%s\t%s\t%u\t%u\t " , scans [i ] . 1 ast , 
scans[i] .start , asO, asl, 

scans [i ] .n_hits , scans [i ] .n_ports ); 
for( j = 0 ; i < 16 ; j++ ) { 

x_str[0] = 0 ; done = 0 ; 









switch ( scans[i] .type[j] ) { 






case 


1: 


spnntf (x_str , 


UDP_R-%u , scans [i] .port[j]) 


; break 


; // 


UDP_PROBE 












case 


2: 


spnntf (x_str, 


n TCP_R-%u n , scans [i] .port[j]) 


; break 


/ / 
; // 


TCP_PROBE 












case 


3: 


spnntf (x_str, 


Short_UDP-%u , scans [i ] . port []]) 


; break ; 


// 


SHORT UDP_S CAN 










case 


4: 


spnntf (x_str, 


"Src=Des-%u" , scans [i] .port [j]) 


; break ; 


// 


BOOMERANG 












case 


5: 


spri ntf (x_str , 


Ping ) 


; break ; 


// 


PING_SCAN 










// 


case 


6: 


sprintf (x_str, 


"ICMP_T0 M ) 


; break ; 


ICMP_TO 








; break ; 


// 


case 


7: 


spri ntf (x_str, 


"TCP_TO-%u", scans [i] .port[j]) 


TCP_TO 












case 


8: 


sprintf (x_str , 


M UDP_TO-%u", scans[i] .port[j]) 


; break ; 


// 


UDP_TO 










// 


case 


9: 


sprintf (x_str, 


M Bad_TCP-%u", scans [i] .port[j]) 


; break ; 


BAD_PKT_TRAC E 












case 


10: 


sprintf (x_str, 


"Multi_Pt-%u", scans[i] .port[j]) 


; break ; 


// 


TCP_PORT_SCAN 












case 


11: 


sprintf (x_str, 


M Addr_Scan-%u", scans[i] .port[j]) 


; break ; 


// 


TCP_J\DDR_SCAN 






"HO_ATTACKn-%u" , scans[i] .port[j]) 


; break ; 


// 


case 


12: 


sprintf (x_str , 


HALF_OPEN 












default : 


done = 1 ; 


} 







if( done ) break ; 
strcatC pr_str, x_str ) ; 
if( scans[i] .walk[j] > 0 ) { 

spri ntf (x_str, "(%u) '\ 



scans[i] .walk[j] ) 



} 



strcat( pr_str, x_str) 



} 



else strcat(pr_str, " " ) ; 
} // end j = 0, 1,2, ... 
strcat(pr_str, "\n") ; 



// 



clear 



if( delete_pair ) { // if( delete_pair ) 
scan[i] ==========// 

fprintf (log_pai r, "%u\t%s" .scans [i] .concern, pr_str) ; // 
write to log before deleting 

if( scans[i].up ) scans[ scans[i].up ].down = scans[i] .down ; // if .up 

not zero 

if( scans [ scans [i] .down ].up == i) scans [ scans [i] .down ].up 

scans[i].up ; // one is true 

if( scans [ scans [i] .down j.root == i) scans [ scans [i ] .down ] . root = 

scans[i] .up ; 



memsetC (void *) & scans[i].ipO , '\0' , (size_t) ( 
n_scans -- ; 

pthread_mutex_unlock( &mp_pai rs) ; // ### unlock scans[], 
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if (display_pair) { 

fprintf(web_scans,"%10u\t%s", scans [i] .concern + tf, 
pr_str) ; // sort on concern + tf 

n_scan_prt ++ ; 

} 

} 

} // end for i 
f close ( web_scans ) ; 
} // end - if fopen web_alerts.txt 

if( f_verbose == 2 ) { 

printf( M --- Scan-Pairs done. Display: %d, Show > %d, Delete< %d\n", 

n_scan_prt, scans_pr_cut , scans_cut) ; 
fflush( stdout ) ; 

} 

// ================ END OF PROBE TABLE ===================// 

t_diff = t_here - t_wa_last ; // for web_alert bps cal 
t_wa_last = tjiere ; 

if(t_diff < 100) t_diff = 100 ; // may be small at first and when running 

== 2 

web_traf_2byte = (web_traf_2 * t_diff) » 3 ; // *dt/8 

if((web_info = fopen ("web_info.txt" , "wb"))==NULL) { // open web_info 

FILE 

printf ("File 'web_info.txt' Can Not Be Opened to Write, t: %u\n , * 

(&t_run)) ; 

file_fail = 1 ; goto close_files ; 

} 

if((web_altO = fopen ("web_alerts0.txt" , ,, wb ,, ))==NULL) { // OPEN 
web_alertsO file . x 

printf ("File 'web_alerts0.txt' Can Not Be Opened to write, t: %u\n , 

* (&t_run)) ; 

file_fail = 2 ; goto close_files ; 

} 

if((web_a1tl = fopen ("web_alertsl. txt" , "wb"))==NULL) { // open 
web_alertsl FILE v 

printf("File 'web_alertsl.txt ' Can Not Be Opened to write, t: %u\n , 

* (&t_run)) ; 

file_fail = 3 ; goto close_files ; 

} 

if((web_trafO = fopen ("web_traf0.txt" , "wb"))==NULL) { // OPEN web_traf0 

FILE X ., 

printf ("File 'web_traf0.txt ' Can Not Be Opened to Write, t: %u\n ,* 

(&t_run)) ; 

file_fail = 4 ; goto close_files ; 

if((web_trafl = fopen ("web_trafl.txt" , "wb"))==NULL) { // OPEN web_trafl 
printf("File 'web_trafl. txt ' Can Not Be Opened to write, t: %u\n",* 

(&t_run)) ; 

file_fail = 5 ; goto close_files ; 

} 

if((web_hosts = fopen ("webjiosts . txt" , "wb"))==NULL) { // OPEN webjiosts 

FILE 
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printfC'File 'web_hosts.txt' Can Not Be Opened to Write, t: %u\n" ,* 

(&t_run)) ; 

file_fail = 6 ; goto close_files ; 



if((web_alarms = fopen ("web^alarms. txt" , n wb M ))==NULL) { // OPEN 
web_alarm FILE 

printfC'File 'web_alarms . txt ' Can Not Be Opened to write, t: %u\n",* 

(&t_run)) ; 

file^fail = 7 ; goto close_files ; 



// t_next_web += web^alert_int ; // no 'continues 1 past here 

f pri ntf (web__i nf o , n %u\t%u\t%u\t%d\t%u\t%u\t%u\t%u\n n , pn_max , acti ve_l ocal s , 

n_host - acti ve_l ocal s, n_scan_prt, *(&web_traf_2) , 
*(&web_alert_2) , web_traf_2byte, dst) ; 

f pri ntf (web_i nf o , "%u\t%u\t%u\t%u\t%s\t%u\t%u\t%u\t%u\n" , bps_i n_max , 
bps_out_max, 

bps_loc_max, bps_oo_max, wts, bps_mcn_max, 
bps_mco_max , bps_bc_max, bps_bad_max ); 

f pri ntf (web_i nf o , "Ti me\t0ut-in\tln-0ut\tln-ln\t0ut-0ut\t0ut-MC\tln-MC\tB 1 cast\tBad\n 

" ) ; 

pthread_mutex_lock( &mp_bs ) ; // ### lock bs[] 
m = bt ; 

if( m >= traffic_values) m -= traffic_values ; // prevents thread sync 

problem 

m++ ; 

for( j=0; j < TRAFFIC.. VALUES ; j++ ) { // j i s counter 
m— ; 

if(m < 0 ) m += TRAFFIC_VALUES ; //mis index 
if ( bs[m] .t == 0) break ; 

w_time = localtimeC & bs[m].t ) ; // w_time points to 'tm' 

structure 

strftime(ts, 16, "%H:%M" , w_time) ; // t_table is formatted into string ts 
f pri ntf (web_i nf o , "%s\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\n M , ts , bs [m] . bytes_i n , 
bs[m] .bytes_out , 

bs[m] .bytes_loc, bs [m] . bytes_oo, bs[m] .bytes_mcn, bs[m] .bytes_mco, 
bs [m] . by tes_J>c , bs [m] . bytesjbad) ; 

pthread_mutex_unlock( &mp_bs) ; // ### unlock bs[] 

f pri ntf (web_hosts, M 0000\t Active Local Hosts: 
%u\t%s\t\t\t\t\tservers\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tclient 

, acti ve_l ocal s, wts); 
f pri ntf (webjiosts , M 0001\tHost iP\tConcern\tAl erts\tBytes-in\tBytes-Out\t\% 

UDP") ; 

for( j = 0 ; j < pn_max ; j++ ) f pri ntf (webjiosts, "\t%s" , port_name[ j ] ); 
// servers 

for( j = 0 ; j < pn_max ; j++ ) fprintf (web_hosts, "\t%s M , port_name[ j ] ); 
// clients 

f pri ntf (webjiosts, H \n M ) ; 

fprintf(web_alt0,"4294967295\tLocal Hosts with High Concern 
lndices\t%s\t%u\n ,, ,wts,*(&web_alert_2)) ; 

fprintf(web_alt0,"4294967294\tConcern\tHost lP\tBytes-ln\tBytes-Out\t\% 
UDP\tServers\tCl i ents\tAl erts\n") ; 

fprintf (web_altl,"4294967295\tOutside Hosts with High Concern 
lndices\t%s\t%u\n'\wts,*(&web_alert_2)) ; 

fprintf(web_altl,"4294967294\tConcern\tHost iP\tBytes-ln\tBytes-Out\t\% 

Page 56 



LANcope Code 

UDP\tServers\tCl i ents\tAl erts\n") ; 

fprintf (web_traf0,"4294967295\tl_ocal Hosts with Recent High 
Traffic\t%s\t%u\t%u\t%u\n" , 

wts, *(&web_traf_2) , t_diff, running); 

f pri ntf (web_t raf 0 , "4294967294\tTotal \tBi t/s-ln\tBi t/s-Out\t\% UDP\tHost 
lP\tConcern\tServers\tCl i ents\tAl erts\n M ) ; 

fprintf (web_trafl,"4294967295\tOutside Hosts with Recent High 
Traf f i c\t%s\t%u\t%u\t%u\n M , 

wts, *(&web_traf_2) ,t_diff, running); 

f pri ntf (web_t raf 1 , M 4294967294\tTotal \tBi t/s-ln\tBi t/s-Out\t\% UDP\tHost 
lP\tConcern\tServers\tCl i ents\tAl erts\n") ; 

memset( (void *) cin , '\0' , (size_t) C 30 * sizeof( long ) ) ) ; // clear 

cin[ ] 

memsetC (void *) tin , '\0', (size_t) ( 30 * sizeof( long ) ) ); 
n_host_drop = 0 ; 

dropjnosts = ( n_host > H0ST_LIMIT) ; // TRUE if too many hosts in database 
if( f_file ) t_cut = t_here - 200 ; else t_cut = t_here - 1800 ; // do not 
drop newbies 

// memset( (void *) temp, '\0' , (size_t) (128 * sizeof( long)) ) ; // DeBuG 

for( h = 1 ; h < HOST_SLOTS ; h++ ) { 

if (host [h] .down) { // select hosts to fprint 

pthread_mutex_lock( &mp_hosts) ; // ### lock hosts [] 

if( host [h] . down ) { // select hosts to fprint - confirm after lock 

register int list_ci, list_traf ; 

if( f_verbose == 2 ) {printf(" --- New Host. h:%u, ip: %8x\n M , h, host[h].ip) ; 
fflushC stdout ) ; } 

list_ci = list_traf = 0 ; 

al = host [h] .concern ; // ============== calculate Concern 

index (CI = aO) ======== // 

a2 = 8 * host[h] .no_con_t + 8 * host [h] . rejects ; // treat pings 
and traces as probes 

+ 8 * host[h] .bad_pkts + 8 * 

host [h] .bad_f low + 8 * host [h] .u_f lows; 

a3 = 0 ; // application related 

// if( host [h] .server & IRC ) a3 += 200 ; 

// if( host [h] .client & IRC ) a3 += 100 ; 

aO = al + a2 + a3 ; // this is the CI 

// ### 

### ALARMS 2 and 3 SET HERE ### ### 

traf = host[h] .bytes_in_pp + host [h] . bytes_ot_pp ; 
local = host [h] .alerts & local_host ; 

if( aO > web_alert_2) { //if CI greater than limit from 
lc_thresholds.txt 

list_ci = 1 ; //list even if alarm shut off 
if( ! ( host[h] .alerts & NCUU.ARM )) { // if alarms not 



shut off 
to NetAdmin 
too-frequent alerts 



host [h] .alerts |= ALARM_2 ; // set bit, cause email 
host[h] .alarm_t = t_here ; // mark time to avoid 
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else host[h] .alerts &= (~alarm_2) ; // alarm shut off, if 
else host [h] .alerts &= (~alarm_2) ; // clear alarm_2 if web_alert_2 



if( traf >= web_traf_2byte ) { 

host [h] .alerts |= TRAF_ALARM ; // send email to Net Admin 
host [h] .alarnut = t_here; 
list_traf = 1 ; 

else host [h] .alerts &= (~traf_alarm) ; // clear traf^larm if 
web_traf_2byte increased 

host[h] .port_scan[0] = host[h] .port_scan[l] = 0 ; // clear 
short-term port scan 

host[h] .scan_cntr[2] = 0 ; 

if( f_verbose == 2 ) {printf(" --- Alarms Set or Cleared, traf: %u\n" , traf) ; 
fflush( stdout ) ; } 

if( local ) { // local host lists 

if( (aO >= web_alertO_0) || (host [h] .alerts & 
alarm_12) II f_demo ) list_ci = 1 ; 

if( (traf >= web_trafO_0) I I f_demo ) 

list_traf = 1 ; 
} 

else { 
// outside host lists 

if( (aO >= web_alertl_0) I I (host[h] .alerts & 
alarm_12) II f_demo ) list_ci = 1 ; 

if( (traf > web_trafl_0) | | f_demo ) 

list^traf = 1 ; 
} 

for( i = 1 ; i < 15 ; i++ ) { // put hosts with values of aO into 
bins to set web_alert_0 

if( aO < cix[i]) { 

cin[ ! local] [i]++ ; 
break ; 

} 

} 

for( i = 1 ; i < 15 ; i++ ) { // put hosts with values of traf into 
bins to set web_traf_0 

if( traf < tix[i]) { 

tin[!local] [i]++ ; 
break ; 

} 

if( f.verbose == 2 ) {printf( M --- Going to Calculate UDP\n M ) ; fflush( stdout ) ; } 

if( host[h] .bytes_in_mx < host [h] . bytes_i n_pp) host [h] .bytes_in_mx = 
host [h] . bytes_i n_pp ; 

if( host[h] .bytes_ot_mx < host [h] . bytes_ot_pp) host [h] .bytes_ot_mx = 
host[h] .bytes_ot_pp ; 

if( host[h] .bytes_in + host[h] ,bytes_ot ) { 

if( host[h].udp.bytes > 42000000 ) { // 100 * will cause 

overflow 
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pu = (100 *(host[h] .udp_bytes » 
8))/((host[h] .bytes_in + host [h] .bytes_ot)»8+l) ; // %UDP 

} else { 

pu = (100 * host[h] .udp_bytes)/( host[h] .bytes_in 

+ host[h] .bytes_ot +1); // %UDP 
} else { } 

if( host[h] .udp_bytes) pu = 100 ; else pu = 0 ; 
a = host[h] .ip ; 

sprintfC si, "%3u .%3u.%3u .%3u" , a»24, (a»16) & Oxff, (a»8) & Oxff, a & 
Oxff ) ; // IP ddec 

for( j = 0 ; j < strlen(sl) ; j++ ) { if( sl[j] == ' ') sl[j] = '0' ; } 

if((local)|| (host [h] .alerts & ALARM_12) || list_ci || list_traf || f_demo) 
if( f_verbose == 2 ) {printf( M --- Goint to l_ist\n") ; fflush( stdout ) ; } 

i f (host [h] .pings > 100 ) host [h] .alerts |= 

PING^ALERT ; 

if(host[h] .traces > 100 ) host [h] .alerts |= 

TRACE_ALERT ; 

if (host[h] .rejects > 50 ) host [h] .alerts |= 

REJ ECT_ALERT ; 

if (host[h] .bad_pkts > 10 ) host [h] .alerts | = 

PKT_ALERT ; 

if (host[h] ,pt_scans > 5 ) host [h] .alerts |= 

PT_SCAN_ALERT ; 

x = (host [h] .alerts » 1) ; n = 1 ; sp = s4 ; s4[0] 
= 0 ; // s4 - alert list, skip '0' local 

while(( x > 0) && (n < max_alert)) { 
if( x & 1) { 

sprintf (sp, "%s " , alert_name[ n ] ) ; 
if( strlen(s4) > 380 ) { 
j = strlen(s4) ; 
s4[ j + 1 ] = 0 ; 
s4[ 1 ] = ; 
break ; 

} 

sp = & s4[ strlen(s4) ] ; 
n++ ; x = x » 1 ; 
} // end while 

if( local ) { // local host list 
nh++ ; 

x = host [h] .server ; s2[0] = 0 ; // server x list 
for(n = 0 ; n < pn_max ; n++) { 
if( x & 1) strcat(s2, ,, \tx" ) ; 

else strcat(s2, M \t " ) ; 

if( strlen( s2 ) > 380 ) break ; 

x = x » 1 ; 

} 

x = host [h] .client ; s3[0] = 0 ; // client X list 
for(n = 0 ; n < pn_max ; n++) { 
if( x & 1) strcat(s3, M \tx M ) ; 

else strcat(s3, M \t 11 ) ; 
if( strlen( s3 ) > 380 ) break ; 
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x = x » 1 ; 

} 

f pri ntf (web Jiosts , M %s\t%u\t%s\t " , si , aO , s4) ; 
f pri ntf (webjiosts , "%u\t%u\t%u M , host [h] . bytes_i n_mx , 
host[h] ,bytes_ot_mx, pu ) ; 

f pri ntf (webjiosts, "%s%s\n ,I > s2, s3 ) ; // s2 and s3 start 



with \t 



f_demo) { 



} // end 'if local ' 
else nf++ ; 

i f ((host [h] .alerts & ALARM_12) || list_ci || list_traf || 
x = host[h] . server ; 

n = 0 ; sp = s2 ; s2[0] = 0 ; // s2-server list 
while(( x > 0) && (n < pn_max)) { 
if( x & 1) { 

sprintf (sp,"%s port_name[ n ] ) ; 

sp = & s2[ strlen(s2) ] ; 

if( strlen(s2) > 380 ) { 
j = strlen(s2) 



s2[ j + 1 ] = 0 ; 
s2[ 1 ] = ' + ' ; 
break ; 



n++ ; x = x » 1 ; 
} // end while 

for(x = 0 ; x < 10 ; x++ ) { 

if(( host[h].s_list[x] == 0) | | ( strlen(s2) 

> 380 )) break ; // add ports not in bit map 

sprintf(sp,"%u ", host[h] .s_list[x] ) ; 
sp = & s2[ strlen(s2) ] ; 

x = host[h] .client ; 

n = 0 ; sp = s3 ; s3[0] = 0 ; // s3 - client list 
while(( x > 0) && (n < pn_max)) { 
if( x & 1) { 

sprintf (sp, "%s ", port_name[ n ] ) ; 
sp = & s3[ strlen(s3) ] ; 
if( strlen(s3) > 380 ) { 
j = strlen(s3) ; 
s3[ j + 1 ] = 0 ; 
s3[ 1 ] = '+' ; 
break ; 

} 
} 

n++ ; x = x » 1 ; 
} // end while 

for(x = 0 ; x < 10 ; x++ ) { 

if(( host[h].c^list[x] == 0) | t ( strlen(s3) 

> 380 )) break ; // add ports not in bit map 

sprintf(sp, M %u host [h] .cjlist [x] ) ; 
sp = & s3[ strlen(s3) ] ; 

} 

} // end build s2,s3 
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if( local ) { // local host alert list 

if( list_ci ) { 
n0++ ; 



f pri ntf (web_al tO , M %u\t%s\t%u\t%u\t%u\t%s\t%s\t%s\n" , 
aO,sl,host[h] .bytes_in, host[h] .bytes_ot,pu,s2,s3,s4) ; 

} } 

if(! (local)) { // outside host - concern alert list 

if( list_ci ) { 
nl++ ; 

f pri ntf (web_altl, ,, %u\t%s\t%u\t%u\t%u\t%s\t%s\t%s\n" , 
aO, sl,host[h] .bytes_in, host[h] .bytes_ot,pu,s2,s3,s4) ; 

} 

if( local ) { // local host traffic 

alert list 

if( list_traf ) { 
n2++ ; 

fprintf(web_trafO > ,, %u\t%u\tXu\tXu\t%s\t%u\tXs\tXs\tXs\n" f (8*traf)/t_diff ,(8*host[h] . 
bytes_i n_mx)/t_di f f , 

(8*host [h] . bytes_ot_mx)/t_di f f , pu , si , aO , s2 , s3 , s4) ; 

} 

if(!( local)) { // not a local host - 

traffic alert list 

if( list_traf ) { 
n3++ ; 

fprintfCweb.trafl/'XuXtXuXtXuXtXuXtXsXtXuXtXsXtXsXtXsXn", (8*traf)/t_diff , (8*host[h] . 
by tes_i n_mx) /t_di f f , 

(8*host [h] . bytes_ot_mx)/t_di f f , pu , si , aO , s2 , s3 , s4) 

1 } 

} // traffic > x 

// =============================== ALARMS, OUT OF PROFILE REPORT 

if( host[h] .alerts & ALARM_2 ) { 

f pri ntf ( web_alarms, "%u\t%s\tHlGH 
CONCERN\t%u\t%u\t%s\n M , host[h] .alarm_t, sl.aO, traf , s4) ;// sl=dot-ip 

} // end alarm_1 

if( host[h] .alerts & ALARM_1 ) { 
f pri ntf ( web_alarms, 
"%u\t%s\tTouched\t%u\t%u\t%s\n M , host [h] . al arm_t , si , aO , t raf , s4) ; 

} // end ALARM_J3 

if( host[h] .alerts & traf^alarm ) { 

fori ntf ( web_alarms, "%u\t%s\tHigh 
Traffic\t%u\t%u\t%s\n M , host[h] .alarm^t , sl,aO, traf , s4) ; 

} // end TRAF^LARM 

if(local) { . , 

if( profile & 0x10 ) {// profile == 2 or 3, 0=clear every mght, 

l=save at night, add new 

register unsigned long s, c ; // 2=alarm & no add, 3 alarm and add 
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if( f_verbose == 2 ) {printf( M — Services vs. Profiles\n") ; fflush( stdout ) ; } 

s = (-host [h] .server) & host[h] .s_profile ; 

c = (~host[h] .client) & host[h] .c_profile ; // test profile 

compliance 

if( s | c ) { 

alarm_lines ++ ; 

fprintf( web_alarms, "%s - Out of Profile.", si ) ; 

if (s ) { 

services( s) ; 

fprintf( web_alarms, " Server OoP: %s.", 



serstr ) ; 

break ; // add ports not in bit map 
host[h] .s_list[x] ) ; 



if( c & odd_bit ) { 

for(x = 0 ; x < 10 ; x++ ) { 

if( host[h].s_list[x] == 0) 

fprintf(web_alarms,"%u 

} 



} 
} 

if (c ) { 

services( c) ; 

fprintf( web^alarms, " Client OOP: %s.", 

serstr ) ; 

if( c & odd_bit ) { 

for(x = 0 ; x < 10 ; x++ ) { 

if( host[h] .c_list[x] == 0) 

break ; // add ports not in bit map 

fprintf (web_alarms,"%u " , 

host[h] .c_list[x] ) ; 

} } 

} 

} 

fprintf ( web_alarms, "\n") ; 
if( profile & 0x01 ) { // profile == 1 or 3 -> add new bits to 

profile 

host [h] . s_prof i 1 e | = host [h] . server 
host[h] .c_profile |= host [h] .client 

; // auto-build profiles 

} // end LOCAL_HOST - Profiles 

if (host[h] .bytes_in_pp > host[h] .bytes_in_mx) 
host[h] .bytes_in_mx = host [h] . bytes_in_pp ; 

if (host [h] .bytes_ot_pp > host [h] . bytes_ot_mx) 
host[h] .bytes_ot_mx = host [h] .bytes_ot_pp ; 

host[h] .bytes_in_pp = host [h] .bytes_ot_pp = 0 ; // zero to 
collect bytes for next period 

// ==== CLEAR h0St[h] ===== // 

if( dropjiosts && (! (local)) && (aO == 0) && ( traf < 
host_cut) && (host [h] .last < t_cut) ) { 

if( host[h].up ) host[ host[h].up 

].down = host[h].down ; // if .up not zero 

Page 62 



LANcope Code 

if( host[ host [h] .down ].up == h) host[ 
host [h] . down ].up = host [h] . up ; // one is true 

if( host[ host [h] . down ].root == h) host[ 
host [h] . down ] . root = host [h] . up ; 

memset( (void *) & host[h].ip , 'XO', (size_t) ( 

sizeof( struct host_db ) ) ); 

n_host ; n_host_drop ++ ; 

} 

} // .down > 0 confirmed afer lock 
pthread_mutex_unlock( &mp_hosts) ; // ### unlock hosts [] 
//if(!((nh+nf)%100)) printf (" . ") ; 
//if (! C(nh+nf)%10000)) printf ("\n n ) ; 
} // .down > 0 
} // end h++ 

file_fail = 8 ; 

close_files: 



switch ( file_fail ) { 


case 8 


fcloseC web_alarms ) ; // fall-thru desired (no 'breaks 1 ) 




case 7 


fclose( web_hosts ) ; 


case 6 


fclose( web_trafl ) ; 


case 5 


fclose( web_trafO ) ; 


case 4 


fclose( web_altl ) ; 


case 3 


fclose( web_altO ) ; 


case 2 


fclose( web_info ) ; 


case 1 




default 





if( file_fail < 8 ) printf (" Problem opening a file, close-index: %u\n", 
file_fail ) ; 

if( f_verbose == 2) {printf (" WA Web files closed. np:%u at %u\n", np, t_run) ; 
fflushC stdout);} 



Determine cut-off value for pruning scans [] 



// ======== 

int max_slots, max_print, m ; 

max^slots = 0.5 * SCAN_SLOTS ; 
max^print = 50 ; 

if( n_scans < max_slots) slots_cut = 0 
else { 

m = 0 ; 

for(i = 14 ; i > 0 ; i-- ) { 
m += scin[i] ; 
scans_cut = cix[ i-1 ] 

reduce db 

if( m > max_slots ) { 
break ; 

} } } 

if( n_scans <50) slots_pr_cut = 0 ; 
else { 
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m = 0 ; 

for(i = 14 ; i > 0 ; i— ) { 
m += scin[i] ; 

scans_pr_cut = cix[ i-1 ] ; // set value of slots_pr_cut 

to select for web 

if( m > 50 ) { 
break ; 

} } } 

if( f_verbose == 2 ) {printf( M — New scans_cut: %u, scans_pr_cut %u\n\n" , 
scans_cut, scans_pr_cut ) ; fflush( stdout ) ; } 

{ // ================= Network statistics ============== // 

register int m ; 
file *net_stats ; 



if( nh < LINES_PER_SCREEN ) web_alertO_0 = web_traf0_0 = 0 ; 
else { 

m = 0 ; 

for(i = 14 ; i > 0 ; i-- ) { 
m += cin[0] [i] ; 

web_alertO_0 = cix[ i-1 ] ; // set value of web_alertO_0 
if( m > LINES_PER_SCREEN ) { 
break ; 

} } 
m = 0 ; 

for(i = 14 ; i>0 ; i-- ) { 
m += tin[0][i] ; 

web_traf0__0 = tix[ i-1 ] ; // set value of web_traf0_0 

if( m > LINES_PER_SCREEN ) { 

break ; 

, } } 



if( nf < lines_per_SCREEN ) web_alertl_0 = web_trafl_0 = 0 ; 
else { 

m = 0 ; 

for(i = 14 ; i>0 ; i-- ) { 
m += cin[l] [i] ; 

web_alertl_0 = cix[ i-1 ] ; // set value of web_alertl_0 
if( m > lines_per_screen ) { 
break ; 

} } 
m = 0 ; 

for(i = 14 ; i>0 ; i— ) { 

web_trafl_0 = tix[ i-1 ] ; // set value of web_trafL_0 

m += tin[l] [i] ; 

if( m > LINES_PER_SCREEN ) { 

break ; 



if( n_host > HOST_LIMIT) { 
m = 0 ; 

for(i = 1 ; i < 14 ; i++ ) { 

host_cut = tix[ i+1 ] ; // set traf value for host_cut 
m += tin[l] [i] ; 

if( m > (n_host - host_limit) ) { 
break ; 
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} } 

} 

if( fLverbose == 2 ) {printfC" Net Stats about to begin. \n") ; fflush( stdout ) 



if( (net_stats = fopenC"web_stats . txt" , "wb") )==NULL) { // OPEN 

OUTPUT FILE web_scans.txt 

printf ("\ni_og-Scans File 'web_stats. txt 1 Can Not Be Opened\n\n") ; 

else { // file 'web_stats' opened OK 
for( m = 1 ; m < 15 ; m++ ) { 

fori ntf (net__stats , "%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\n n , 
cix[m-l] ,cix[mj ,cin[0] [m] ,cin[l] [m] , tix[m-l] ,tix[m] ,tin[0] [m] ,tin[l] [m] 



fcloseC net_stats ) ; 
} 

if( f_verbose == 2) {printf( n Net-stats done. np:%u at %u\n M , np, t_run) ; fflushC 
stdout) ;} 

} // end net-stats 

// if( running == 2 ) break ; // finish up 

// // end - whileC running ) 



if( file_fail == 8 ) { 

sleep(l) ; // give file pages time to write 

systemC" ./web-prepl. scr » wp-log.txt 2» wp-log.txt") ; // system % 
call 1 to make web pages 

sleep CI) ; // give files time to write 

systemC" ./web-prep2 . scr » wp-log.txt 2» wp-log.txt") ; // system < 
call 2 to make web pages 

sleep CI) ; // give files time to write 

systemC" ,/web-prep3 .scr » wp-log.txt 2» wp-log.txt") ; // system 
call 3 to make Web pages 

sleep(l) ; // give files time to move 

systemC" ./web-prep4.scr » wp-log.txt 2» wp-log.txt") ; // system 
call 4 to make web pages 

} else printf("\007 ########## WEB FILE PROBLEM - NEW WEB PAGES NOT GENERATED 
#########\007\n"); 

printf("%s web done. Took: %u s, Probes: %u, filed: %u, Alarms: %u %u %u %u\n", 

&web_ts[14], time(NULL)-t_2 , n_scans, 

n_scan_prt, nO, nl, n2, n3 ); 

if C f_verbose || (bt != bt_old) || f_file ) { 

bt_old = bt ; // do every 15 minutes, not every 5 min 
printf(" Pkts: %u, Flows in db: %u, Hosts in db: %u, cut: %u, Host Cut if < %u 
byte, age > %u s\n", 

np, n_flow, n_host, 

n_host_drop, host_cut, t_here - t_cut) ; 

printfC" Thresholds. CI for Web-Local Page: %7u, - web-Outside: %7u, for Alarm: 
%7u.\n", 

web_alertO_0, web_alertl_0, - (&web_al ert_2) ) ; 
printfC" Thresholds, bps for Web-Local Page: %7u, - Web-Outside: %7u, for Alarm: 
%7u b/s\n", 

(8* web_traf0_0)/300, C8*web_trafl_0)/300, *(&web^traf_2)) ; 

printfC" CI Min. for web. Inside: %u, Outside : %u", nO, nl) ; 
printf (" Traffic Min. inside: %u, Outside : %u\n", n2, n3) ; 
printfC" Local hosts: %u - Foreign Hosts: %u. Probes Shown: 
%u\n\n",nh,nf ,n_scan_prt) ; 
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fflush( stdout ) ; 

if((f_file) && (running == 1)) sleep(60) ; //delay to read Web 

if( f_verbose == 3) {printf( M WA Bottom. np:%u at %u\n", np, t_run) ; fflushC 

stdout);} 

return ; 

} // end - web_alerts() 

void read_thresholds( void ) { 
int h, x ; 
char s[80] ; 

FILE *lc_th_file, *lc_no_alarms_file, *lc_watch_list_file ; 

if((lc_th_file = fopen ("1 ^thresholds. txt" , ,, rb ,, ))==NULL) { // OPEN 
1 ^thresholds FILE 

?rintf("File ' lc_thresholds.txt' Can Not Be Opened to Read, t: 
) ; 

} 

else { 

register unsigned int a, w, r, p ; 
a = web_alert_2 
w = web_traf_2 
r = restart_hour 
p = profile 

whileC fscanf(lc_th_file,"%s\t%lu\n", s, &x) != EOF ) { 



if( 
if( 
if( 
if( 

} 



strcmp( s, "web_alert_2" ) ) web_alert_2 = x 

strcmp( s, "web_traf_2" ) ) web_traf_2 = x 

strcmpC s, "restartjiour" ) ) restartjiour = x 

strcmpC s, "profile" ) ) profile = x 



if(( a != web_alert_2 )||( w != web_traf_2 )||( r != restartjiour 
)||( p != profile )) { 

printf("### new VALUES: CI Alarm2: %u, Traf. Alarm: %u 
(b/s), Restart: %u, Profile Action: %u\n", 

web_alert_2, web_traf_2, restartjiour, profile); 

fclose( lc_th_file ) ; 

} // end read threshhold file 

if((lc_no_alarms_file = fopen ("lc_no_alarms.txt" , "rb"))==NULL) { // OPEN 
lc_jio_alarms.txt FILE 

printf("File 'lc_no_al arms. txt 1 Can Not Be Opened to Read, t: %u\n", 

* (&t_run)) ; 
} 

else { 

unsigned int al, a2, a3, a4, h, n_slot ; 
printf(" No-Alarm Set for:" ) ; 



!= EOF ) { 



while( fscanf(lc_no_alarms_file,"%u.%u.%u.%u\n", &al, &a2, &a3, &a4) 



h = (al « 24 ) | (a2 « 16) | (a3 « 8) | a4 ; 
if(n_slot = find_host( h, 1 ) ) { 

host[ n_slot ]. alerts |= NO^ALARM ; 
printf(" %u.%u.%u.%u", al, a2, a3, a4) ; 

} } 
printf("\n") ; 

Page 66 



LANcope Code 
fclose( lc_no_alarms_file ) ; 
} // end read threshhold file 

if((lc_watch_list_file = fopen ("lc^watch_list.txt ,, , M rb ,, ))==NULL) { // 
OPEN lc_watch.txt FILE 

printf ("File ' lc_watch_list.txt' Can Not Be Opened to Read, t: 
%u\n", * (&t_run)) ; 

else { 

unsigned int al, a2, a3, a4, h, n_slot ; 

printf (" watch_Host Set for:" ) ; 

while( fscanf(lc_watch^list_file, M %u.%u.%u.%u\n", &al, &a2, &a3, 

&a4) != EOF ) { 

h = (al « 24 ) | (a2 « 16) | (a3 « 8) | a4 ; 
if( n_slot = findJiost( h, 1 ) ) { 

host[ n_slot ]. alerts |= WATCH_HOST ; 

printf (" %u.%u.%u.%u", al, a2, a3, a4) ; 

} } 
printf("\n M ) ; 

fclose( lc_watch_list_file ) ; 
} // end - file opened 

return ; 

} // end of read_thresholds() 

void services( unsigned int x ) { // puts list of services into serstr 
int n, j ; 
char *ptr ; 

n = 0 ; ptr = serstr ; serstr[0] = 0 ; // serstr-server list 
while(( x > 0) && (n < pn_max)) { 
if( x & 1) { 

sprintf (ptr , "%s " , port_name[ n ] ) ; 
ptr = & serstr[ strlen(serstr) ]; 
if( strlen(serstr) > 380 ) { 
j = strlen(serstr) ; 
serstr[ 3 + 1 ] = 0 ; 
serstr[ j ] = ; 
break ; 

} 

} 

n++ ; x = x » 1 ; 
} // end while 

return ; 
} // end services () 

#ifdef CHECK_INDEX 

unsigned long host_hash( unsigned long ip) 

{// returns host[i] unsigned index, HOSTS MUST BE LOCKED 
unsigned long x, i, i_mark, n, index, scans_size = HOST_SLOTS ; 

x = ip a (ip « 6) ;/*** make index from ip ***/ 
index = x ; 

for (i = H0ST_SHIFT ; i < 32 ; i += HOST_SHIFT ) { 
X = X » HOST_SHIFT ; 

index a= x ; // XOR bytes together 

index = index & HOST_MASK ; //limit to right H0ST_SHIFT bits 
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index++ ; // index can be 1 to 2An +1 

if( ! pthread_mutex_trylock( &mp_hosts ) ) { 
printf (" ### host_hash() without mutex m_host being set. t: %u, Running: 
%u\n",*(&t_run) , running) ; 

pthread_mutex_unlock( &mp_hosts ) ; 

if ( index >= HOST_SLOTS ) { 

printf ("index bigger than host_SLOTS (%u > %u) at record %u\n", 
index, HOST_SLOTS, *(&np)); 

exit(-l) ; 

return( index ) ; // end - hostjiash (ony for CHECK_INDEX 

} 

#endif 

int read_profiles( void ) { // ############# READ_PROFlLES ( & BT[ ] ) 
################## 

FILE * profile ; 

long check ; 

unsigned long ip, h ; 

int n_pro = 0, n_table = 0, j, n_pts, n_hs ; 
struct stat file_info; 
unsigned char buffer [120] ; 

if( f_verbose == 3) {printf (" Read Profiles Start. np:%u at %u\n", np, 
t_run) ; fflush( stdout);} 

if( stat("lc_profiles", &file_info) == 0 ) { // there is a file 

if ((profile = fopen( ,, lc_profiles M , "rb")) !=NULL) { // and it opened 
fread( (void *) &check, sizeof( long ), 1, profile) ; 

// 96 is number of bytes saved per host profile 

if( check != 96 ) { 

printf (" ### File lc_profiles ( %d )does not match 
present host db structure size (96) ###\n", 

check) ; 

} 

else { // check ok 

register int i ; 
pthread_mutex_lock( &mp_hosts) ; // ### lock hosts[] 

while( 1 ) { 

if( fread( (void *) &ip, sizeof( long ), 1, 

profile) < 1) break ; 

if( (h = find_host( ip, 1 )) == 0 ) 

break * 

if( fread( (void *) &host [h] . s_profile, 
sizeof( long ), 1, profile) < 1 ) break ; 

if( fread( (void *) &host [h] .c_profile, 
sizeof( long ), 1, profile) < 1 ) break ; 

if( fread( (void *) &host[h] .s_list[0] , 
sizeof( short ), 10, profile) < 10) break ; 

if( fread( (void *) &host[h] .c_list[0] , 
sizeof( short ), 10, profile) < 10) break ; 

if( fread( (void *) &host [h] .host_scan[0] , 

sizeof (long) , 5, profile) < 5) break ; 

if( fread( (void *) &host [h] . scan_cntr[0] , 

sizeof (char) , 4, profile) < 4) break ; 

if( fread( (void *) &host [h] .port_scan[0] , 

sizeof (long) , 4, profile) < 4) break ; 
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//if( f_verbose == 2 ) { 

// printf(" %8x :%8x %8x : " ,host[h] .ip, host [h] . server, host[h] .client 

// for(i=0;i<10;i++) printf(" %u", host[h] .s_list[i] ) ; 

// printf (" :"); 

// for(i=0;i<10;i++) printf(" %u", host[h] .c_list[i] ) ; 

// printf("\n"); 

//} } // end while(l) 

pthread_mutex_unlock( &mp_hosts) ; // ### unlock hosts [] 

} // check ok 

skip_profiles: 

fclose( profile ) ; 
} // file opened ok 
- } // stat -> end file-ok 
// if( f_verbose == 3) {printf( M Read Profiles Mid. np:%u at %u\n M , np, t_run) 

; fflush( stdout);} 

if( stat( M lc_traf stable", &file_info) == 0 ) { // there is a file 
if ((profile = fopenClc_traf_table M , M rb M )) != null) { 

fread( (void *) &check, sizeof( long ), 1, profile) ; 
if( check != sizeof( struct byte_table ) ) { // byte table 
may change size due to revision 

printf (" ### File lc_traf_table ( %d )does not match 
present bs[]. structure size! ###\n", 

check) ; 

} 

else { // check is ok 

for( j = (traffic_values -l);i>=0;j--){ 
if( fread( (void *) &bs[j].t, check 

1, profile) < 1 ) break ; 

n_table++ ; 

//if((f_verbose == 2) && bs[j].t) printf ("j :%2d %5d %8d %8d %8d %8d\n n , j ,bs[j] .t, 
bs[j] .bytes_in, 

// bs[j] .bytes_out, 

bs[j] .bytes_loc, bs[j] .bytes_oo ) ; 

} // end - 'check 1 is right 
fclose( profile ) ; 
} // end - file opened ok 
} // end - there is a file 
bt = traffic_values - 1 ; 

printf (" Read - Local Host Profiles: %d, Traf. Table Lines: %d\n M , n_pro, 
n_table ) ; // call save_profiles 

printf (" Active Locals: %d, n^host: %d\n" , acti ve_locals, 

n^host ) ; // call save_profiles 

if( f^verbose == 3) {printf (" Read Profiles End. np:%u at %u\n", np, t_run) 
; fflush( stdout);} 

return( n_pro ) ; 
} // end read_profiles 

int save_profiles( void ) { // ############# save_profiles ( & bt[ ] ) 
################## 

file * profile ; 

long check ; 

unsigned long ip, hx ; 

int m, n_pro = 0, n_table=0, i, i ; 
if( f_verbose == 2) {printf (" Save Profiles Start. np:%u at %u\n" , np, t_run) ; 
fflush( stdout) ;} 
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if((profile = fopen("lc_profiles" , "wb")) !« null) { 
check = 96 ; 

fwrite( (void *) &check, sizeof( long ), 1, profile) ; 

for( hx = 1 ; hx < HOST^SLOTS ; hx++ ) { // save profiles of local 



if( host[hx] .alerts & 0x1 ) { 
pthread_mutex_lock( &mp_hosts) ; // ### lock hosts[] 

if( fwrite( (void *) &host[hx] .ip, 



long ), 


1, 


profile) 


< 


1 ) 


break 












sizeof ( 




if( 


fwrite( 


(voi d 


*) 


&host[hx] 


.s_profile, 


long ), 


1, 


profile) 


< 


1 ) 


break 












sizeof ( 




if( 


fwrite( 


(void 


*) 


&host[hx] 


.c_profile, 


long ), 


1, 


profile) 


< 


1 ) 


break 












sizeof ( 








if( 


fwrite( 


(void 


*) 


&host[hx] 


.s_list[0] , 


short ) , 


10, 


profile) 


< 


10) 


break 












sizeof ( 




if( 


fwrite( 


(void 


*) &host[hx] 


.c_list[0], 


short ) , 


10, 


profile) 


< 


10) 


break 
















if( fwrite( 


(void 


*) 


&host[hx] 


.host_scan[0] , 



sizeof (long) , 
sizeof (char) , 



zeof ( 



5, profile) < 5) break ; 

if( fwrite( (void *) &host [hx] . scan_cntr [0] 
4, profile) < 4) break ; 

if( fwrite( (void *) &host[hx] .port_scan[0] 
sizeof (long) , 4, profile) < 4) break ; 

n_pro++ ; 

// if( f_verbose == 2 ) { 

// printfC %8x :%8x %8x 

:",host[hx] .ip, host [hx] .server, host [hx] .client ) ; 

// for(i=0;i<10;i++) printfC" %u.", 

host[hx] .s_list[i] ) ; 

// printfC :"); 

// for(i=0;i<10;i++) printfC" %u. u , 

host[hx] .c_list[i] ) ; 

// } printf("\n"); 

pthread_mutex_unlock( &mp_hosts) ; // ### unlock hosts[] 

} // end } for(hx) 
fclose( profile ) ; 

if( f_verbose == 3) {printfC Save-Profiles Mid. np:%u at %u\n", np, t_run) 
; fflush( stdout);} 

if((profile = fopen("lc_traf_table" , "wb")) !=NULL) { 
pthread_mutex_lock( &mp_bs) ; // ### lock bs[] 

check = si zeof ( struct byte_table ) ; 

fwrite( (void *) &check, sizeof ( long ), 1, profile) ; 

m = bt ; 

m++ ; 

if( m > TRAFFIC^. VALUES) m -= TRAFFIC^ VALUES ; // prevents thread 

sync problem 

for( j = 0 ; j < TRAFFIC_ VALUES j++ ) { // j i s counter, bs.[bt + 
1] not reliable in this thread 

m-~ ; 

if(m < 0 ) m += traffic_values ; // m is index 
// if( bs[m].t == 0) break ; 

if( fwrite( (void *) &bs[m].t, si zeof ( struct byte_table ), 
1, profile) < 1 ) break ; 

n_table++ ; 

//if((f_verbose == 2)&&(j==0)) printf ("size:%d m:%2d %lld %8d %8d %8d %8d\n", 
si zeof ( struct byte_table ), 

// m , bs [m] . t , bs [m] . bytes_i n , bs [m] . bytes_out , 

bs[m] .bytes_loc, bs[m] ,bytes_oo ) ; 
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fclose( profile ) ; // break comes here 
pthread_mutex_unlock( &mp_bs) ; // ### unlock bs[] 

printfC Saved (at %u s) - Local Host Profiles: %d, Traf. Table Lines: 
%d\n" , t_run, n_pro, n_table ) ; 

if( f_verbose == 3) {printfC Save Profiles End. np:%u at %u\n'\ np, t_run) 
; fflush( stdout);} 

return( n_pro ) ; 
} // end write_profiles 

void record_probe( unsigned long hs, unsigned long d_ip, unsigned short des_port ) { 
// sets bit map for ip-scan and port-scan detection 

register int xl, unlock = 0 ; // mutex mpjiosts should be locked before 

cal 1 i ng 

register unsigned int m4, m2 ; 

if(( f_verbose ==2) || (f_verbose == 3 )) { 

printfC Record-Probe Start. np:%u at %u, hs: %u, d_ip: %8x, port: 
%u\n",np,*(&t_run) ,hs,d_ip,des_port) ; 

fflush( stdout) ; 

} 

if(f_verbose == 2) printfC ### SCAN hs: %u, da :%8x, M f hs,d_ip ) ; 
xl = (d_ip»5) & 0x3 ; // index 0 to 3 

m2 = (unsigned int) 1 « ( d_ip & OxOOlf) ;// 1 bit set in 32-bit field 

if( ! (host[ hs ].host_scan[ xl ] & m2) ) { // check hscanl28 bit 

host[ hs ].host_scan[ xl ] 1= m2 ; // --- set bit for hscanl28 
host[hs] .scan__cntr[l] ++ ; 

} 

m4 = (unsigned int) 1 « ( ( (d_ip»24) a (d_ip»16) ) & OxOOlf ) ; // 1 bit 
set in 32-bit field 

if( ! (host[ hs ].host_scan[ 4 ] & m4) ) { // check hscan32 bit 

host[ hs ].host_scan[ 4 ] |= m4 ; // set bit for hscan32 
host [hs] .scan_cntr[0] ++ ; 

if( host[hs] .scan_cntr[0] > 24 ) { // clear once hscan32 is nearly 

full 

host[hs] .host_scan[0] = host[hs] .host_scan[l] = 0 ; 
host[hs] .host_scan[2] = host [hs] .host_scan[3] = 
host[hs] .host_scan[4] = 0 ; 

host[hs] .scan_cntr[0] = host [hs] . scan__cntr [1] = 0 ; 

} 

} 

if( host[hs].scan_cntr[0] < (((3*host [hs] .scan^cntr[l]) » 3) - 2) ) { // 
hscan32 < (3/8)hscanl28 - 1 



host 
host 
host 
host 

host[hs] .host_scan[4 
host 



hs 
hs 
hs 
hs 
= 0 



alerts |= IP_SCAN ; 
.concern += host_scan_CI ; 
.host_scan[0] = host[hs] .host_scan[l] = 0 ; 
.host_scan[2] = host[hs] .host_scan[3] = 



hs] .scan_cntr[0] = host [hs] . scan_cntr [1] = 0 ; 



if( f^verbose == 2 ) printfC ### BINGO p32: %u, pl28: 
%u\n M ,host[hs] . scan_cntr [0] ,host[hs] .scan_cntr[l]) ; 
} 
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else { 

if(( f_verbose == 2 ) && ( host [hs] . scan_cntr [1] > 2 )) { 
printfC" --- NOGO h32: %u, hl28: %u x32:%8x, 
xl28:%8x,%8x,%8x,%8x xl:%d, x2:%8x\n", 

host[hs] .scan_cntr[0] , host[hs] . scan_cntr [1] , 

host [hs] . host_scan [4] , 

host[hs] . host_scan[0] , host[hs] .host_scan[l] , 
host[hs] .host_scan[2] , host[hs] . host_scan[3] , xl,m2) ; 
} } 

if( des^port < 1024 ) { // avoid false positives due to Napster 

register unsigned long pp, pm, pi ; // ########## PORT SCAN 
DETECTION ########## // 

pp = des_port &0xlf ; // 0 to 31 

pi = (des_port » 5) & 1 ; // 0 or 1 

pm = (unsigned long) 1 « pp ; // 1 '1' in 32-bit field 

if(! (pm & host[ hs ].port_scan[ pi ])) { // new long-term bit to 

set ? 

host[ hs ].port_scan[ pi ] |= pm ; // used to detect 

short-term port scans 

host[hs] .scan_cntr[2] ++ ; 

if( host[hs] .scan_cntr[2] > port_SCAN_max ) { 
hs]. concern += port_scan_ci ; 



.alerts |= pt_scan_alert ; 
. port_scan[0] = host [hs] ,port_scan[l] = 0 ; 



host 
host[hs 
host[hs_ 

// clear short-term port-scan bits & counter 

host[hs] .scan_cntr[2] = 0 ; 
if(f_verbose == 2) printf(" ### Port Scan - Short-Term Detected. hs:%u\n" ,hs ) ; 

} // end - ling-term threshold exceeded? 
else { 

if (f_verbose==2) { 

printf("Port %u - ST bit already set. pi:%u, pp: %u, 
pm: %8x, ST: %8x,%8x,LT: %8x-%8x\n\n" ,des_port , pi,pp,pm, 

host [hs] . port_scan [0] , host [hs] . port_scan [1] , 
host [hs] . port^scan [2] , host [hs] . port_scan [3] ) ; 

fflush( stdout ) ; 

} 

} 

if(! (pm & host[ hs ].port_scan[ pi | 2 ])) { // pi | 2 = 2 or 3 , new 
long-term bit to set ? 

host[ hs ].port_scan[ pi | 2 ] |= pm ; // used to detect 

long-term port scans 

host[hs] .scan_cntr[3] ++ ; 

if( host[hs] .scan_cntr[3] > PORT_SCAN_ltjviax ) { 



concern += P0RT_SCAN_LT_CI 
.alerts |= lt_pt_scan ; 

port_scan[2] = host[hs] .port_scan[3] = 0 ; 



host [hs 
host [hs 
host[hs_ 

// reset long-term port-scan bit map & counter 

host[hs] . scan_cntr[3] = 0 ; 
if (f_verbose==2) printf( M ### Port Scan - Long-Term Detected. hs:%u\n",hs ) ; 

} // end - ling-term threshold exceeded? 
else { 

if (f_verbose==2) { 

printf ("Port %u - LT bit already set. pi:%u, pp: %u, 
pm: %8x f ST: %8x,%8x,LT: %8x-%8x\n\n H ,des_port , pi,pp,pm, 
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host [hs] . port_scan [0] , host [hs] . port_scan [1] , 
host[hs] .port_scan[2] , host [hs] .port_scan[3]) ; 

fflush( stdout ) ; 



if( f_verbose == 3) { 

printf (" Record-Probe End. np:%u at %u, hs: %u, d_ip: %8x, 

port: %u\n", 

np, *(&t_run) ,hs, d_ip, des_port); 
fflush( stdout); 

} 

} // end - port scan check 
return ; 
} // - end - record_probe() 



void suicide( int yesterday ) { // kill this instance of lancope, start fresh 
char command [50] ; 

// yesterday = (tjiere % 86400) % 30 ;// day of month 0-29 - name of 
directories for saving files 
setuid( 0 ) ; 

sprintf (command,"lc_restart.sh %d 1» lc_log.txt 2»1 c_log.txt &" , 
yesterday; ; 

printf ("system call : %s\n" , command) ; 
if( systemC command ) ) { // returns zero if ok 
printf (" #### FAILED ####\n n ) ; 
return ; 

printf (" #### RESTART CALL OK, SHUTTING DOWN NOW #### LOGS SAVED ON ^d'Xn" 

yesterday) ; 

running = 2 ; // end other threads if 'Ic.restart 1 started. 
kill_tcpdump() ; 
return ; 
} // end - suicideQ 



void userhandler(int sig) { // SIGTERM handler (kill <PID> response) 
int i ; 

i = save_profiles() ; 

printf ("\n ######### SIGTERM (%d) - Saved %u Profiles. No Restart. 
###########\n\ n " f sig, i ) ; 

running = 2 ; 

kin_tcpdump() ; 

return ; 
} // end - userhandler 

// ### END OF FILE #### 



LANcope by John Cope! and 9/28/00, copyright 2000, all rights reserved p. 
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